Re: 2 x ASA communicating from DMZ;Inside;Inside;Outside

network_team · ‎08-12-2008

Hi

I have 2 x ASA and i am trying to get a server in the DMZ asa1 to communicate to Outside asa 2.

The path it takes is the following:

asa1 DMZ Inside

asa2 Inside Outside

But the above does not work i dont see packets getting to Outside asa2. Is this a problem with security levels or is it not possible to pass traffic from the interfaces via two firewalls.

purohit_810 · ‎08-12-2008

I think your setup look like this,

1) Both firewall's outside interface connected to switch.

2) DMZ server is connected on only one firewall.

If this is the case then you should put a switch in DMZ connect server with switch and connect both firewall's DMZ to the switch.

Now it will be... route from inside to DMZ from both are firewalls.

Thanks,

Dharmesh

Marwan ALshawi · ‎08-12-2008

as i understood

asa dmz>>inside>>asa2inside>>asa2 outside

i will assume the following example

asa1

DMZ network 192.168.1.0/24

inside 10.1.1.0/24

inside IP 10.1.1.1

asa2

inside 10.1.1.0/24

inside IP 10.1.1.2

on the asa 1 do the following

static (DMZ, inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

route inside 0.0.0.0 0.0.0.0 10.1.1.2

access-list 100 permit ip 192.168.1.0 any

access-group in interface DMZ

(asumeing that inside security level 100 and dmz less than 100)

now asa 2

route inside 192.168.1.0 255.255.255.0 10.1.1.1

if u want access to the packet come from outside asa2 to dmz asa1 add the follwoing

access-list 101 permit ip any 192.168.1.0 255.255.255.0

access-group 101 in outside

good luck

please, if helpfull rate

network_team · ‎08-12-2008

As you can see the 16.166.0.112 is unable to access the webserver on 111.111.101.10. The traffic from 16.166.0.112 goes through the asa1 and out via 18.8.88.x on the asa2, but we do not see any traffic going to asa for access to 111.111.101.10.

asa1 dmz security level 4

asa1 inside security level 100

asa2 inside security level 100

asa2 outside security level 0

Marwan ALshawi · ‎08-12-2008

if u can post the config of both asa 1 and 2

will be easier to solve it

however the idea i have mentioned above stile valid for ur case

but if u can post the config will save time for us

network_team · ‎08-14-2008

Hi

Please find attached the configurations as requested. I have tried your implementation with no joy

Marwan ALshawi · ‎08-14-2008

try to add the following and let me know

on ASA_1

access-list 100 permit ip host Web host cx01

access-group in interface outside

on ASA_2

access-list 100 permit host cx01 host Web

access-gorup in interface DMZ

good luck

network_team · ‎08-15-2008

Hi the configuration above you gave me didnt work.

Marwan ALshawi · ‎08-15-2008

what is this for on ASA 1

route outside Web 255.255.255.255 192.168.201.3 1

!!!

if the web server connected to the outside asa 1 subnet directly remove this line

remove this line from asa 2 aswel:

route DMZ CX01 255.255.255.255 16.166.1.11 1

and keep the acls i have given to u

then

reload the both fire walls and test it then let me know

good luck