cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1143
Views
0
Helpful
6
Replies

new ASA 5510 access rules and NAT

it
Level 1
Level 1

We are about to replace our ole PIX 515E with an ASA5510.

We are unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network.

Internet is working.

Between DMZ and Inside too much traffic is allowed - We only want specific ports to be open.

What have we done wrong?

6 Replies 6

husycisco
Level 7
Level 7

Hello Kristian,

Can you explain what do you mean by "unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network"

Regards

We have exchange in our inside network (one public IP), and a FTP (Another public IP) on the DMZ. But we can't connect to them when using the new firewall

access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp

access-list Outside_access_in extended permit tcp any host citrix-securegw eq https

access-list Outside_access_in extended permit tcp any host webserver eq www

In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"

access-list Outside_access_in extended permit tcp any host Public_IP eq smtp

access-list Outside_access_in extended permit tcp any host Public_IP eq https

access-list Outside_access_in extended permit tcp any host Public_IP eq www

Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following

static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255

Regards

Got it working.

But I'm not able to access my FTP / WEB servers on my DMZ from Intern. Using ftp.domain.dk makes an lookup to my public IP ( that works from another site) - In my old configuration on the PIX 515 it was translated to the ip in my DMZ. Hopes this makes sence.

access-list Outside_access_in extended permit udp any host Public_IP eq domain

access-list Outside_access_in extended permit tcp any host Public_IP eq ftp

static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255

static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255

I'm not sure you understood me.

From intern 192.9.200.0/24 we want to connect to 172.0.0.0/24 using the public name ftp.domainname.dk.

If we make a lookup we get the publib IP 217.x.x.x for that A-record

We don't have a DNS server in our DMZ.

Our ASA 5510 comes with the base license

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: