10-17-2008 03:04 AM - edited 03-11-2019 06:58 AM
We are about to replace our ole PIX 515E with an ASA5510.
We are unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network.
Internet is working.
Between DMZ and Inside too much traffic is allowed - We only want specific ports to be open.
What have we done wrong?
10-17-2008 09:16 AM
Hello Kristian,
Can you explain what do you mean by "unable to direct traffic to our DMZ - several servers mulitple IPs, and to our Inside Network"
Regards
10-18-2008 04:26 AM
We have exchange in our inside network (one public IP), and a FTP (Another public IP) on the DMZ. But we can't connect to them when using the new firewall
10-18-2008 01:16 PM
access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp
access-list Outside_access_in extended permit tcp any host citrix-securegw eq https
access-list Outside_access_in extended permit tcp any host webserver eq www
In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"
access-list Outside_access_in extended permit tcp any host Public_IP eq smtp
access-list Outside_access_in extended permit tcp any host Public_IP eq https
access-list Outside_access_in extended permit tcp any host Public_IP eq www
Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following
static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255
static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255
static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255
Regards
10-20-2008 05:19 AM
Got it working.
But I'm not able to access my FTP / WEB servers on my DMZ from Intern. Using ftp.domain.dk makes an lookup to my public IP ( that works from another site) - In my old configuration on the PIX 515 it was translated to the ip in my DMZ. Hopes this makes sence.
10-20-2008 05:49 AM
access-list Outside_access_in extended permit udp any host Public_IP eq domain
access-list Outside_access_in extended permit tcp any host Public_IP eq ftp
static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255
static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255
10-20-2008 09:53 PM
I'm not sure you understood me.
From intern 192.9.200.0/24 we want to connect to 172.0.0.0/24 using the public name ftp.domainname.dk.
If we make a lookup we get the publib IP 217.x.x.x for that A-record
We don't have a DNS server in our DMZ.
Our ASA 5510 comes with the base license
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide