01-22-2009 08:50 AM - edited 03-11-2019 07:40 AM
I am setting up ASA 5505's for some telecommuters and I have a question. I broke the ASA into 3 VLAN's. One for outside internet connection from cable , DSL, or what ever, one for the VPN back to our Corp Network, and one for the DMZ to allow full access to the net for home computers. My VPN to corp network works great, but the DMZ doesn't allow traffic to flow to the internet. Here is how I have the DMZ configured.
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.240.1 255.255.255.0
interface Ethernet0/1
switchport access vlan 5
interface Ethernet0/2
switchport access vlan 5
interface Ethernet0/3
switchport access vlan 5
dhcpd address 192.168.240.100-192.168.240.150 dmz
dhcpd enable dmz
No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports.
Any help world be appreciated.
Dan
Solved! Go to Solution.
01-22-2009 11:27 AM
Ok, then you do not need my suggestion pertaining to DMZ access to inside.
PLS let me know if your problem is resolved to fruther assist you, PLS rate post if it helped.
Regards
01-22-2009 10:38 AM
Hi Dan,
In your description but the DMZ doesn't allow traffic to flow to the internet
You need to nat your DMZ interface with your global in order to get outbound internet access including an access list to permit DMZ outbound internet .
nat (dmz) 1 192.168.240.0 255.255.255.0
global (outside)1 interface
access-list dmz_access extended permit ip any
access-group dmz_access in interface dmz
above will provide outbound internet access for dmz segment .
No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports.
Now.. Im not to sure about your above statement , do you mean DMZ segment unable to access CorpVPN interface segment? PLS let me know otherwise if not understanding correctly.
you will need couple of statements, assuming interface in asa is (corpVPN) and its subnet is 20.20.20.0/24
you can do a nonat accless list, or add to your existing nonat acl.
access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 20.20.20.0 255.255.255.0
nat (dmz) 0 access-list inside_nat0_outbound
or you can also do instead of above:
static (inside,dmz ) 20.20.20.0 20.20.20.0 netmask 255.255.255.0
and allow traffic from dmz to inside via acl.
Regards
01-22-2009 11:19 AM
I thought I had the following in the config but didn't.
nat (dmz) 1 192.168.240.0 255.255.255.0
global (outside)1 interface
access-list dmz_access extended permit ip any
access-group dmz_access in interface dmz
As for the "No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports." I just want to keep the DMZ and the inside interface (VPN) seperate (No connection between the DMZ and inside interface.
Thanks
01-22-2009 11:27 AM
Ok, then you do not need my suggestion pertaining to DMZ access to inside.
PLS let me know if your problem is resolved to fruther assist you, PLS rate post if it helped.
Regards
01-22-2009 11:43 AM
I will test this tonight and let you know.
Thanks.
01-22-2009 03:20 PM
I had to change the access-list dmz_access extended permit ip any any to access-list dmz_access extended permit ip 192.168.240.0 255.255.255.0 any because this was causing my Internet traffice not to run thru the VPN connection and then allowing them to surf what ever unfiltered.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: