08-12-2008 02:22 AM - edited 03-11-2019 06:29 AM
Hi
I have 2 x ASA and i am trying to get a server in the DMZ asa1 to communicate to Outside asa 2.
The path it takes is the following:
asa1 DMZ Inside
asa2 Inside Outside
But the above does not work i dont see packets getting to Outside asa2. Is this a problem with security levels or is it not possible to pass traffic from the interfaces via two firewalls.
08-12-2008 05:02 AM
I think your setup look like this,
1) Both firewall's outside interface connected to switch.
2) DMZ server is connected on only one firewall.
If this is the case then you should put a switch in DMZ connect server with switch and connect both firewall's DMZ to the switch.
Now it will be... route from inside to DMZ from both are firewalls.
Thanks,
Dharmesh
08-12-2008 05:03 AM
as i understood
asa dmz>>inside>>asa2inside>>asa2 outside
i will assume the following example
asa1
DMZ network 192.168.1.0/24
inside 10.1.1.0/24
inside IP 10.1.1.1
asa2
inside 10.1.1.0/24
inside IP 10.1.1.2
on the asa 1 do the following
static (DMZ, inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
route inside 0.0.0.0 0.0.0.0 10.1.1.2
access-list 100 permit ip 192.168.1.0 any
access-group in interface DMZ
(asumeing that inside security level 100 and dmz less than 100)
now asa 2
route inside 192.168.1.0 255.255.255.0 10.1.1.1
if u want access to the packet come from outside asa2 to dmz asa1 add the follwoing
access-list 101 permit ip any 192.168.1.0 255.255.255.0
access-group 101 in outside
good luck
please, if helpfull rate
08-12-2008 05:54 AM
As you can see the 16.166.0.112 is unable to access the webserver on 111.111.101.10. The traffic from 16.166.0.112 goes through the asa1 and out via 18.8.88.x on the asa2, but we do not see any traffic going to asa for access to 111.111.101.10.
asa1 dmz security level 4
asa1 inside security level 100
asa2 inside security level 100
asa2 outside security level 0
08-12-2008 06:53 AM
if u can post the config of both asa 1 and 2
will be easier to solve it
however the idea i have mentioned above stile valid for ur case
but if u can post the config will save time for us
08-14-2008 06:58 AM
08-14-2008 06:34 PM
try to add the following and let me know
on ASA_1
access-list 100 permit ip host Web host cx01
access-group in interface outside
on ASA_2
access-list 100 permit host cx01 host Web
access-gorup in interface DMZ
good luck
08-15-2008 01:48 AM
Hi the configuration above you gave me didnt work.
08-15-2008 02:53 AM
what is this for on ASA 1
route outside Web 255.255.255.255 192.168.201.3 1
!!!
if the web server connected to the outside asa 1 subnet directly remove this line
remove this line from asa 2 aswel:
route DMZ CX01 255.255.255.255 16.166.1.11 1
and keep the acls i have given to u
then
reload the both fire walls and test it then let me know
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: