Traffic flow on ASA

Unanswered Question
Nov 3rd, 2009
User Badges:

Hello,

Are these config ok, as per need.

But till not working except SMTP


Requirement

* allow SMTP traffic from outside to host 80.1.2.3


* allow port 5512 from inside to outside for host 192.168.20.50


* allow inside host 192.168.1.10 to communiate on port 443 to dmz host 172.10.10.5


%%%%config%%%%



interface GigabitEthernet0/0

description "Connected to Internet"

speed 100

duplex full

nameif Outside

security-level 0

ip address 80.1.2.1 255.255.255.240

!

interface GigabitEthernet0/1

description "Connected to LAN"

speed 1000

duplex full

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

!

interface GigabitEthernet0/3

description "Connected to DMZ-SW"

speed 100

duplex full

nameif DMZ

security-level 50

ip address 172.10.10.1 255.255.255.0



access-list OUTSIDE extended permit tcp any host 80.1.2.3 eq smtp


access-list INSIDE extended permit tcp host 192.168.20.50 any eq 5512

access-list INSIDE extended permit tcp host 192.168.20.100 any eq SMTP


access-list DMZ extended permit tcp host 172.10.10.5 eq 443 host 192.168.1.10 eq 443


global (Outside) 1 interface

nat (inside) 1 192.168.20.50 255.255.255.255


static (inside,DMZ) 172.10.10.5 192.168.1.10 netmask 255.255.255.255

static (inside,Outside) 80.1.2.3 192.168.20.100 netmask 255.255.255.255


access-group OUTSIDE in interface Outside

access-group INSIDE in interface inside

access-group DMZ in interface DMZ


route Outside 0.0.0.0 0.0.0.0 80.1.2.2



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 11/03/2009 - 13:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nasr


So only SMTP to 80.1.2.3 is working ?


If so then


1) allow inside host 192.168.1.10 to communiate on port 443 to dmz host 172.10.10.5


you need to modify the config -


remove this from your config -


static (inside,DMZ) 172.10.10.5 192.168.1.10 netmask 255.255.255.255


add this to your config


access-list INSIDE permit tcp host 192.168.1.10 host 172.10.10.5 eq 443


static (inside,DMZ) 192.168.1.10 192.168.1.10 netmask 255.255.255.255


2) allow port 5512 from inside to outside for host 192.168.20.50


your config for this should work.


Jon

nasr.khan Tue, 11/03/2009 - 14:22
User Badges:

Thanks Jon.

(1) Working

(2) I changed the PC and it started working, seems PC itself has an issue.


(*) ACL inside shows hits, can I clear those hits and by which command syntax.


(*) Local DNS Server needs to resolve Internet DNS address, do I need a static NAT with public IP or just allow ACL of DNS host with udp port 53 and add NAT(0) statemtnt


(*) Total of 2MB ISP Bandwith, is it possible to get report every 12 hours how much each service (SMTP) consumes bandwidth in/out


Actions

This Discussion