05-01-2009 10:26 PM - edited 03-11-2019 08:26 AM
Dear All,
I am configuring my ASA 5510 but having some problems,
I am placing ASA very next to Router,
1- Router (Directly attached with Internet via live IP)
2-ASA (Connected with Router)
3-ASA DMZ interface (Servers are connected with it)
4-ASA other fa interface connected with Core switch (3560)
Vlans are configured on 3560 and inter vlan routing is in place via ACLs
OSPF is running on ASA, Core switch and Router,
PROBLEM
Users in Core switch Vlans can communicate with ASA but cannot communicate with DMZ
Cannot communicate with Internet Router
Router, Switch and ASA are showing Routes in their Routing Tables, but are unable to ping...
Please advise, whether is there any other configuration required on ASA,
ASA can communicate with Core switch Vlan Users, DMZ and Internet,
BUT
DMZ is unable to communicate with Core
DMZ is unable to communicate with Internet
PLEASE HELP,
REGARDS,
JUNAID
05-01-2009 11:55 PM
Check your NAT - have you configured it correctly.
Check your interface security levels - have you configured them correctly
Check you access-lists to allow traffic from lower security levels to higher security levels.
The ASA is a FIREWALL NOT a router.
Below is some config guides to assist you in troubleshooting your config:-
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html
HTH>
05-02-2009 12:43 AM
Additional to Andrew I would have a look at your security levels for the DMZ interface. If you have set it to 0 you will not be able to communicate with internet and Inside .. since the ASA denies traffic from lower (or equal) level interfaces. So you can't by default communicate from 0 to 100 or 0 to 0 ....
but first i would really check the NAT
cheers Michael
05-02-2009 02:17 AM
Dear Michael,
I set my security level for all interfaces is 50
security level 50 for DMZ
50 for Inside
50 for Outside
secondly,, I haven't applied NAT... NATING is performed by Router
05-02-2009 02:29 AM
read the below:-
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1043290
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1039276
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088
HTH>
05-02-2009 03:01 AM
What security level do you suggest for DMZ, Inside and Outside,
05-02-2009 03:36 AM
Outside - 0
DMZ - 50
Inside - 100
You then control what can access the inside, from the outside/dmz. You can also control what can access the dmz from the outside. The inside can access everything as default.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: