ASA 5510: Want to have traffic between Web, DMZ and Inside Network

Unanswered Question
Oct 20th, 2008
User Badges:

I've attached a clean copy of my config.

I've used the 172.x.x.x and 192.x.x.x to limit visibility.

Im trying to allow typical traffic form inside network to the DMZ, traffic from the Web sites to the DMZ, and Traffic out of the DMZ to both Internal and Web.


My only success appears to be able to browse the Internet/Web from from both the DMZ servers and the Inside network.


I'm trying to map traffic from

172.16.1.8 --->192.168.0.8 Inside

172.16.1.24 --->192.168.0.24 Inside DNS

172.16.1.207 --->192.168.154.7 DMZ


172.16.1.135 --->192.168.154.6 DMZ http, domain(DNS)

--->192.168.0.4 Inside https, smtp

172.16.1.136 --->192.154.6 DMZ http,https


Config is working on an old Netscreen 10.

Any help is appreciated.






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
risenshine4th Mon, 10/20/2008 - 07:08
User Badges:

172.16.1.135 --->192.168.154.6 DMZ http, domain(DNS)

172.16.1.135--->192.168.0.4 Inside https, smtp


This one doesn't allow Nat of more than one of the same host IP.

risenshine4th Mon, 10/20/2008 - 11:29
User Badges:

I have updated my configuration.

I question wether or not the outside NAT rules would conflict with the inside and DMZ rules?


I figure one way to overcome the access barrier between the DMZ and Inside is to set the security level of the interfaces to the same level and enable the same level checkbox.

I'd rather keep the interfaces on different levels.


Can anyone confirm a problem with my configuration/rules?


I have used http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html

(I've tried adding the 10.10.10.0..static rulewithout success. I suspect something is missing here as this document hides details in the screen shots.)





Actions

This Discussion