DMZ to inside ASA 8.4/ASDM 6.4

Unanswered Question
May 22nd, 2012
User Badges:

Hello guys,


This is my first post so please forgive me if this has already been answered in the forum.


I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?


Many thanks for any help.


/Slipz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
siddhartham Tue, 05/22/2012 - 10:03
User Badges:
  • Silver, 250 points or more

Where are the wireless users? Inside or in DMZ zone?

slipperzoom Tue, 05/22/2012 - 12:12
User Badges:

Thanks for your reply siddhartham. The wireless users are in the DMZ zone.

Julio Carvajal Tue, 05/22/2012 - 10:29
User Badges:
  • Purple, 4500 points or more

Hello,


you will need to allow that traffic into the DMZ access-list

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 443

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 25

access-group dmz in interface dmz


Regards,


DO rate all the helpful posts


Julio

slipperzoom Tue, 05/22/2012 - 12:15
User Badges:

Thanks for your reply. I will try this later but I'm not sure that I can achieve this with an access-list only. I'll post details later.

Julio Carvajal Tue, 05/22/2012 - 12:21
User Badges:
  • Purple, 4500 points or more

Hello,


As you asked just for an ACL, I thought you already had the NAT.


Lets say the ip address of the Inside server is 10.10.10.2 and the DMZ subnet is 192.168.12.0

You want to nat the Inside server on the DMZ to 192.168.12.3

Here is what you need


object network Inside_server

host 10.10.10.2


object network DMZ_Server_global

host 192.168.12.3


nat (inside,dmz) source static  Inside_server  DMZ_Server_global

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 443

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 25



Do rate all the helpful posts!!

slipperzoom Wed, 05/23/2012 - 02:44
User Badges:

Many thanks jcarvaja for the update. I'll test this out tonight and post details.


Best regards,

Eric

Julio Carvajal Wed, 05/23/2012 - 09:16
User Badges:
  • Purple, 4500 points or more

Hello Eric,


My pleasure, I will be more than glad to help.


Regards,


Do rate all the helpful posts

slipperzoom Wed, 06/06/2012 - 07:50
User Badges:

Hi jcarvaja,


Thanks again but your suggested solution does not appear to work.


Just to clarify:


1. We do not have any servers on the dmz network. All we use that for is allow connections from smart phones through a wireless access point out to the internet.


2. The smartphones are able to access the internet but cannot access the public address of the Exchange server. We need to be able to allow ssl access only (from all mobile devices on the dmz) to the exchange public interface.


Found the following link which highlights a similar scenario but I'm not sure if the commands will work for ASA 8.4


https://supportforums.cisco.com/thread/2124287


.. appreciate any further help.


/Slipz

nkarthikeyan Wed, 06/06/2012 - 09:20
User Badges:
  • Gold, 750 points or more

Hi Eric,


First thing u may need to have an acl created for dmz zone to permit https from dmz zone subnet to email server.


Also you need to check on the routing if any infra present in the inside zone.


access-list permit tcp host eq https

access-list deny ip any any


Check if there is any hits when you try to access web mail through mobiles. If hits present for that... then you may need to check on the routing and other stuffs related to dmz.


Please let me know if this helps...

leeswc Wed, 02/13/2013 - 12:28
User Badges:

Greetings All,


Did a search on Google for a problem that sounds much like this one and found this thread. Did the above fix the problem? I'm not quite clear where the ACL was applied if the public addresses are not on an interface. I have the same situation; public IPs are defined in the NAT rules, but not associated with an interface. Thanks.

Actions

This Discussion

Related Content