10-17-2008 03:04 AM - edited 03-11-2019 06:58 AM
We are about to replace our ole PIX 515E with an ASA5510.
We are unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network.
Internet is working.
Between DMZ and Inside too much traffic is allowed - We only want specific ports to be open.
What have we done wrong?
10-17-2008 09:16 AM
Hello Kristian,
Can you explain what do you mean by "unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network"
Regards
10-18-2008 04:26 AM
We have exchange in our inside network (one public IP), and a FTP (Another public IP) on the DMZ. But we can't connect to them when using the new firewall
10-18-2008 01:16 PM
access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp
access-list Outside_access_in extended permit tcp any host citrix-securegw eq https
access-list Outside_access_in extended permit tcp any host webserver eq www
In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"
access-list Outside_access_in extended permit tcp any host Public_IP eq smtp
access-list Outside_access_in extended permit tcp any host Public_IP eq https
access-list Outside_access_in extended permit tcp any host Public_IP eq www
Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following
static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255
static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255
static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255
Regards
10-20-2008 05:19 AM
Got it working.
But I'm not able to access my FTP / WEB servers on my DMZ from Intern. Using ftp.domain.dk makes an lookup to my public IP ( that works from another site) - In my old configuration on the PIX 515 it was translated to the ip in my DMZ. Hopes this makes sence.
10-20-2008 05:49 AM
access-list Outside_access_in extended permit udp any host Public_IP eq domain
access-list Outside_access_in extended permit tcp any host Public_IP eq ftp
static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255
static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255
10-20-2008 09:53 PM
I'm not sure you understood me.
From intern 192.9.200.0/24 we want to connect to 172.0.0.0/24 using the public name ftp.domainname.dk.
If we make a lookup we get the publib IP 217.x.x.x for that A-record
We don't have a DNS server in our DMZ.
Our ASA 5510 comes with the base license
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: