Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
5
Replies

ServerASA5505 ASA ver 8.4(4) 1 ASDM Version 6.4(5)

Go to solution
HUPERT BUTZ PASNO
Level 1
Level 1

‎07-03-2015 08:50 PM - edited ‎03-11-2019 11:13 PM

hi guys,

I got this asa5505 to configure for our network i just cant figure out whats wrong with my current configuration to allow outside network to access a webserver behind a dmz...Fallowed several tutorials but nothing works for me :(, Anyone here can help me...? thanks a lot in advance
 

ASA5505 ASA ver 8.4(4) 1 ASDM Version 6.4(5)

inside 10.0.0.1/8

outside: 172.22.13.15/16

dmz: 172.16.0.1/16

 

any help would be much appreciated thank you :)

*****************************************

object network dmz-subnet
subnet 172.16.0.0 255.255.0.0
nat (dmz,outside) dynamic interface
exit

object network dmz-host-ext
host 172.22.13.15
exit

object network dmz-host-int
host 172.16.0.2
nat (dmz,outside) static dmz-host-ext
exit


access-list inbound extended permit tcp any object dmz-host-int eq www
access-list inbound extended permit tcp any object dmz-host-int eq https
access-group inbound in interface outside

access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz

 

 

 


 

Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to HUPERT BUTZ PASNO

‎07-29-2015 09:01 AM

You don't need (and should remove):

nat (dmz,outside) static dmz-host-ext

access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz

The "nat(outside,dmz) static dmz-host-ext" is the only host NAT you need.

The access-list should not be used as it is not necessary from DMZ to outside (assuming you've assigned the DMZ a higher security level that the outside). 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-04-2015 06:51 AM

You should use a dedicated address (apart from the outside interface address) for your DMZ server's static NAT.

You then need a nat (outside,dmz) for that object.

Your access-list is fine (one you fix the nat).

0 Helpful

Go to solution
HUPERT BUTZ PASNO
Level 1
Level 1
In response to Marvin Rhoads

‎07-07-2015 09:11 PM

Thank you Sir... for your reply i will try it now... changing my configuration... hope it work well :)

 

0 Helpful

Go to solution
HUPERT BUTZ PASNO
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2015 02:00 AM

Sir Marvin can you spare me some time to check my configuration still i cannot access the webserver behind the dmz. Thank you.

I have made some changes.  Sorry i'm new at ASA

 

ASA5505 ASA ver 8.4(4) 1 ASDM Version 6.4(5)

inside 10.0.0.1/8
outside: 172.22.13.15/16
dmz: 172.16.0.1/16
webserverexternalip- 172.22.13.14
*****************************************

object network dmz-subnet
subnet 172.16.0.0 255.255.0.0
nat (dmz,outside) dynamic interface
exit

object network dmz-host-ext
host 172.22.13.14
exit

object network out-to-host
host 172.16.0.2
nat(outside,dmz) static dmz-host-ext

object network dmz-host-int
host 172.16.0.2
nat (dmz,outside) static dmz-host-ext
exit

access-list inbound extended permit tcp any object dmz-host-int eq www
access-list inbound extended permit tcp any object dmz-host-int eq https
access-group inbound in interface outside

access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to HUPERT BUTZ PASNO

‎07-29-2015 09:01 AM

You don't need (and should remove):

nat (dmz,outside) static dmz-host-ext

access-list dmz-outbound permit tcp object dmz-host-int host 10.0.0.100 eq 1433
access-group dmz-outbound in interface dmz

The "nat(outside,dmz) static dmz-host-ext" is the only host NAT you need.

The access-list should not be used as it is not necessary from DMZ to outside (assuming you've assigned the DMZ a higher security level that the outside). 

0 Helpful

Go to solution
HUPERT BUTZ PASNO
Level 1
Level 1
In response to Marvin Rhoads

‎08-01-2015 12:57 AM

Thank you very much sir marvin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card