I am testing an ASA5510 configuration prior to implementation. Currently we use static NAT for a number of machines located on the inside network that we access from the outside. I use Access-lists to control what ports are opened up. Everything seems to work fine.
I know that in the near future, I will be asked to setup a DMZ and place some items there. So, I have been testing a simple configuration where I have one machine in the DMZ and I open up ports to it. I also setup static nat for the machine in the dmz.
Here's the problem. What I am finding is that I can only get one side to work at a time.
I have the followng statements in place, but when I view the config, only one of them is active. I am guessing that you can't have these statements applied to the same interface. If this is true, can someone tell me what I need to change.
access-group outside_access_in in interface outside
access-group outside_to_dmz in interface outside
As I said, only one statement seems to be saved. If I allow access to the inside, then I can't access the machine in the DMZ. If I allow the statement for the DMZ, then I can't access the machines on the inside network.
This seems to be the only hurdle I am facing with regards to getting this to work...I hope.
Any comments would be appreciated.
Just merge the 2 access-list together and use just the one ie.
take the entries from you outside_to_dmz acl and add them to your outside_access_in acl and then just apply the outside_access_in to the interface. This is a very standard thing to do.