new ASA 5510 access rules and NAT

Unanswered Question

We are about to replace our ole PIX 515E with an ASA5510.

We are unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network.

Internet is working.

Between DMZ and Inside too much traffic is allowed - We only want specific ports to be open.

What have we done wrong?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 10/17/2008 - 09:16

Hello Kristian,

Can you explain what do you mean by "unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network"

Regards

husycisco Sat, 10/18/2008 - 13:16

access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp

access-list Outside_access_in extended permit tcp any host citrix-securegw eq https

access-list Outside_access_in extended permit tcp any host webserver eq www

In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"

access-list Outside_access_in extended permit tcp any host Public_IP eq smtp

access-list Outside_access_in extended permit tcp any host Public_IP eq https

access-list Outside_access_in extended permit tcp any host Public_IP eq www

Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following

static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255

Regards

husycisco Mon, 10/20/2008 - 05:49

access-list Outside_access_in extended permit udp any host Public_IP eq domain

access-list Outside_access_in extended permit tcp any host Public_IP eq ftp

static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255

static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255

Actions

This Discussion