DMZ - Help

Unanswered Question
Aug 7th, 2009


Recently we purchased ASA 5510 and need you help to understand why from inside I am not able to see DMZ Server and outside.Physical connectivity is ok, reachability from ASA to DMZ is Ok.

Traffic is going to internet from ASA

is the ACL correct as per my need

outside to DMZ need ports 1080,1081,6588,80,3128

DMZ to oustide need ports smtp,5512,dns udp and tcp.

Inside to DMZ, local server should only communicate to DMZ Server

Can get help

I have plugged the configuration

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 08/07/2009 - 06:13

I see a couple of things to fix. In the DMZ ACL you are permitting the traffic you want ot allow from the outside, but it is applied inbound to the DMZ interface. It should be applied to the outside interface. Same for the OUTSIDE ACL. I would rename them to make more sense; outside2dmz or outside_dmz. Second, you're missing NAT for traffic to get to the internet for both the inside and the DMZ. You're also missing NAT for DMZ to inside (if you require it). If you need help with configuring NAT, just shout.

saquib.nawazz Fri, 08/07/2009 - 08:15

Hi Clark,

ACL Outside is restricting traffic comming from Inside.

ACL DMZ is allowing traffic going out (Inside)

ACL INSIDE is restricting traffic going out ( DMZ or Internet ) which was removed as others was not working.

Can get help on missing config and NAT

Collin Clark Fri, 08/07/2009 - 12:46


global (OUTSIDE) 1 interface

!--- This will use the OUTSIDE IP as PAT

nat (INSIDE) 1

!--- This is who should be NAT'd

nat (DMZ) 1

!--- This is who should be NAT'd

You don't need NAT from INSIDE to DMZ.

saquib.nawazz Fri, 08/07/2009 - 22:30


I got this clear.

Is the ACL Ok.

Is PAT required if -

We have Squid(Proxy)on inside network which should only send http traffic outside on internal user behalf.

allow IPSEC for Cisco Client VPN Traffic from inside to outside

Rest all other traffic should be blocked from inside to outside.


This Discussion