Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 dmz newbie

Can't seem to figure out how to build a DMZ for our webserver. All trafic gets denied by the default incoming rule.

I want all incoming http/80 requests to the external ip (192.168.10.35 for now) to be forwarded to the www-server in the dmz 176.16.3.15.

I think i have the address translation up and running but no matter what incoming firewall rule i create, trafic gets blocked. I must be missing something obvious here..... any ideas:

ASA Version 8.0(3)

!

hostname *

domain-name *

enable password *

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif dmz-office

security-level 50

ip address 172.16.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside-acl extended permit tcp any host 192.168.10.35 eq www

access-list outside_access_in extended permit tcp any host 192.168.10.35 eq www

access-list l2l_list extended permit ip host 192.168.10.35 host 192.168.10.14

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz-office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.1.2 www 192.168.10.35 www netmask 255.255.255.255

static (dmz-office,inside) 172.16.3.14 192.168.10.35 netmask 255.255.255.255

static (inside,dmz-office) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

2 REPLIES

Re: ASA 5505 dmz newbie

Hi,

Give the following command for natting the ip 192.168.10.35(outside) to 172.16.3.15(dmz)

static(dmz,outside) 192.168.10.35 172.16.3.15 netmask 255.255.255.255

New Member

Re: ASA 5505 dmz newbie

Does the nat routing between the VLAN's have to be up and running correctly before I use the packet tracer in the ADSM to see what packets are accepted and/or droped?

It seems like everything gets drop but the default rule

312
Views
0
Helpful
2
Replies
CreatePlease to create content