Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
2
Replies

Traffic flow on ASA

nasr.khan
Level 1
Level 1

‎11-03-2009 01:17 PM - edited ‎03-11-2019 09:35 AM

Hello,

Are these config ok, as per need.

But till not working except SMTP

Requirement

* allow SMTP traffic from outside to host 80.1.2.3

* allow port 5512 from inside to outside for host 192.168.20.50

* allow inside host 192.168.1.10 to communiate on port 443 to dmz host 172.10.10.5

%%%%config%%%%

interface GigabitEthernet0/0

description "Connected to Internet"

speed 100

duplex full

nameif Outside

security-level 0

ip address 80.1.2.1 255.255.255.240

!

interface GigabitEthernet0/1

description "Connected to LAN"

speed 1000

duplex full

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

!

interface GigabitEthernet0/3

description "Connected to DMZ-SW"

speed 100

duplex full

nameif DMZ

security-level 50

ip address 172.10.10.1 255.255.255.0

access-list OUTSIDE extended permit tcp any host 80.1.2.3 eq smtp

access-list INSIDE extended permit tcp host 192.168.20.50 any eq 5512

access-list INSIDE extended permit tcp host 192.168.20.100 any eq SMTP

access-list DMZ extended permit tcp host 172.10.10.5 eq 443 host 192.168.1.10 eq 443

global (Outside) 1 interface

nat (inside) 1 192.168.20.50 255.255.255.255

static (inside,DMZ) 172.10.10.5 192.168.1.10 netmask 255.255.255.255

static (inside,Outside) 80.1.2.3 192.168.20.100 netmask 255.255.255.255

access-group OUTSIDE in interface Outside

access-group INSIDE in interface inside

access-group DMZ in interface DMZ

route Outside 0.0.0.0 0.0.0.0 80.1.2.2

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-03-2009 01:27 PM

Nasr

So only SMTP to 80.1.2.3 is working ?

If so then

1) allow inside host 192.168.1.10 to communiate on port 443 to dmz host 172.10.10.5

you need to modify the config -

remove this from your config -

static (inside,DMZ) 172.10.10.5 192.168.1.10 netmask 255.255.255.255

add this to your config

access-list INSIDE permit tcp host 192.168.1.10 host 172.10.10.5 eq 443

static (inside,DMZ) 192.168.1.10 192.168.1.10 netmask 255.255.255.255

2) allow port 5512 from inside to outside for host 192.168.20.50

your config for this should work.

Jon

0 Helpful

nasr.khan
Level 1
Level 1
In response to Jon Marshall

‎11-03-2009 02:22 PM

Thanks Jon.

(1) Working

(2) I changed the PC and it started working, seems PC itself has an issue.

(*) ACL inside shows hits, can I clear those hits and by which command syntax.

(*) Local DNS Server needs to resolve Internet DNS address, do I need a static NAT with public IP or just allow ACL of DNS host with udp port 53 and add NAT(0) statemtnt

(*) Total of 2MB ISP Bandwith, is it possible to get report every 12 hours how much each service (SMTP) consumes bandwidth in/out

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card