07-03-2015 08:50 PM - edited 03-11-2019 11:13 PM
hi guys,
I got this asa5505 to configure for our network i just cant figure out whats wrong with my current configuration to allow outside network to access a webserver behind a dmz...Fallowed several tutorials but nothing works for me :(, Anyone here can help me...? thanks a lot in advance
ASA5505 ASA ver 8.4(4) 1 ASDM Version 6.4(5)
inside 10.0.0.1/8
outside: 172.22.13.15/16
dmz: 172.16.0.1/16
any help would be much appreciated thank you :)
*****************************************
object network dmz-subnet
subnet 172.16.0.0 255.255.0.0
nat (dmz,outside) dynamic interface
exit
object network dmz-host-ext
host 172.22.13.15
exit
object network dmz-host-int
host 172.16.0.2
nat (dmz,outside) static dmz-host-ext
exit
access-list inbound extended permit tcp any object dmz-host-int eq www
access-list inbound extended permit tcp any object dmz-host-int eq https
access-group inbound in interface outside
access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz
Solved! Go to Solution.
07-29-2015 09:01 AM
You don't need (and should remove):
nat (dmz,outside) static dmz-host-ext access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433 access-group dmz-outbound in interface dmz
The "nat(outside,dmz) static dmz-host-ext" is the only host NAT you need.
The access-list should not be used as it is not necessary from DMZ to outside (assuming you've assigned the DMZ a higher security level that the outside).
07-04-2015 06:51 AM
You should use a dedicated address (apart from the outside interface address) for your DMZ server's static NAT.
You then need a nat (outside,dmz) for that object.
Your access-list is fine (one you fix the nat).
07-07-2015 09:11 PM
Thank you Sir... for your reply i will try it now... changing my configuration... hope it work well :)
07-29-2015 02:00 AM
Sir Marvin can you spare me some time to check my configuration still i cannot access the webserver behind the dmz. Thank you.
I have made some changes. Sorry i'm new at ASA
ASA5505 ASA ver 8.4(4) 1 ASDM Version 6.4(5)
inside 10.0.0.1/8
outside: 172.22.13.15/16
dmz: 172.16.0.1/16
webserverexternalip- 172.22.13.14
*****************************************
object network dmz-subnet
subnet 172.16.0.0 255.255.0.0
nat (dmz,outside) dynamic interface
exit
object network dmz-host-ext
host 172.22.13.14
exit
object network out-to-host
host 172.16.0.2
nat(outside,dmz) static dmz-host-ext
object network dmz-host-int
host 172.16.0.2
nat (dmz,outside) static dmz-host-ext
exit
access-list inbound extended permit tcp any object dmz-host-int eq www
access-list inbound extended permit tcp any object dmz-host-int eq https
access-group inbound in interface outside
access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz
07-29-2015 09:01 AM
You don't need (and should remove):
nat (dmz,outside) static dmz-host-ext access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433 access-group dmz-outbound in interface dmz
The "nat(outside,dmz) static dmz-host-ext" is the only host NAT you need.
The access-list should not be used as it is not necessary from DMZ to outside (assuming you've assigned the DMZ a higher security level that the outside).
08-01-2015 12:57 AM
Thank you very much sir marvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide