03-13-2009 02:23 AM
Hi Experts,
I have a HTTP Server in DMZ which i need to give access to the Inside Network(LAN).
I have configured the ASA 5510 as follows.
Problem is i could access http and ping http server from LAN.
Configuration:
int eth0/0
Description LAN Interface
nameif LAN
Security-Level 99
ip address 192.168.2.1 255.255.255.0
int eth0/1
Description DMZ Interface
nameif DMZ
Security-Level 50
ip address 10.10.10.1 255.255.255.0
static (DMZ,LAN) 20.20.20.20 10.10.10.2 netmask 255.255.255.255 (Original IP is 10.10.10.2 - mapped with 20.20.20.20).
access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq echo
access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq echo-reply
access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq 80 permit ip any any
access-group INSIDE TO DMZ in interface LAN
router rip
ver 2
network 10.10.10.0
network 192,168.2.0
default-information originate
please help me what i have done wrong in the confoiguration.
03-14-2009 12:03 PM
I am totally confused.
1. Is this on a 5505 or or a 5510? If it's a 5505 you can't do it. You're only allowed 2 vlans on the 5505. The 3rd is only allowed to talk to 1 other vlan.
2. You say that you want a device in your DMZ to have full access to devices in your inside network. The purpose of putting something in your DMZ is so that it can't talk to anything on the inside. You might have a design flaw there.
3. You wrote "Problem is i could access http and ping http server from LAN." which confuses me too. You don't want that to happen?
03-16-2009 06:06 AM
Well I am assuming that you are not able to access your web server when you enter 20.20.20.20 on your machine from inside network (LAN).
Here are a few points to consider then:
1. Following access list is not correct:
access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq 80 permit ip any any
I would put following instead of above one:
access-list INSIDE TO DMZ extended permit tcp host 192.168.2.2 host 20.20.20.20 eq 80
2. ICMP is not stateful. So you need to allow icmp echo and echo-reply from DMZ to LAN as well or use "fixup protocol icmp" (i didn't have good experience using fixup for icmp).
3. I hope gateway on 192.168.2.2 is 192.168.2.1. If not, make a following static route in your system
route add 20.20.20.20 mask 255.255.255.255 192.168.2.1
It should work then. Cheers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: