11-06-2008 01:45 PM - edited 03-11-2019 07:09 AM
I need a working sample config based on these simple details:
Outside 172.16.1.2 255.255.255.0 level 0
Inside 192.168.0.3 255.255.255.0 level 100
DMZ 192.168.154.1 255.255.255.0 level 50
Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https
Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https
1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.
2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.
3.I would like to be able to browse the internet from the DMZ and inside.
I will rate high on any working configurations. I will rate each unique example using varied Nat types.
Solved! Go to Solution.
11-06-2008 01:55 PM
John
static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255
static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255
static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255
static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255
1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
You don't need an acl because it is going from inside to DMZ
2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80
This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.
3) nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.154.0 255.255.255.0
global (outside) 1 interface
Again you don't need acl because you are going from higher to lower security level interfaces.
Jon
11-12-2008 02:11 PM
You have an acl:
access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0
But you're not allowing traffic back in:
permit ip 192.168.0.0 255.255.255.0 any
If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.
HTH
--John
11-06-2008 01:55 PM
John
static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255
static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255
static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255
static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255
1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
You don't need an acl because it is going from inside to DMZ
2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80
This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.
3) nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.154.0 255.255.255.0
global (outside) 1 interface
Again you don't need acl because you are going from higher to lower security level interfaces.
Jon
11-07-2008 09:26 AM
This doesn't appear to be working. Can you create a show running-config that I can build from?
11-07-2008 09:34 AM
John
Could you be a bit more specific - which bits work and which don't. If none of it works then can you check basics such as both interfaces are up etc.
Jon
11-07-2008 11:54 AM
I am unable to pass any traffic to the DMZ from the inside. I can't pass any traffic from the DMZ to the inside...on specific ports and open to any. All interfaces are up.
I cl xlate
I wonder if the default from a higher security to a lower security rules are working.
All I can do is browse the internet.
I guess I could try another asa 5510.
I do appreciate the help.
11-07-2008 12:11 PM
Hello John,
Please post your running config and let us advise on config
Regards
11-10-2008 01:13 PM
11-12-2008 12:45 PM
I've started over several times. I seem to be getting back to the same place...
Can browse internet from DMZ or Inside PC's
I just can't seem to pass any traffic between them.
I even put all interfaces in one pool to allow access to allow dynamic translation to the dmz and outside...translation from the dmz to inside and outside interface pools.
What am I missing?
11-12-2008 02:11 PM
You have an acl:
access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0
But you're not allowing traffic back in:
permit ip 192.168.0.0 255.255.255.0 any
If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.
HTH
--John
11-14-2008 12:47 PM
Exactly what I was missing.
It shows this rule in the ASDM Rules but this ACL is clearly missing from the ACL Manager.
Kind of odd. I thought that ACE's and that defined access rules were the same thing for Dmz incoming rules. So it must be a wired error for one to exist without the other.
John
11-14-2008 01:04 PM
Thank you for letting me know, and the rating! :-)
--John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: