Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
4
Replies

ASA 5505 Inside Access to DMZ Server

andywang1
Level 1
Level 1

‎09-24-2007 03:32 PM - edited ‎03-11-2019 04:16 AM

Hello All!

I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.

So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)

I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.

Here's my config:

name 192.168.100.20 Mailbert ;real mail server address

name 67.94.68.124 ExternalMail

name 67.94.68.122 defaultexternal

name 192.168.3.61 InternalMail61

interface Vlan1

nameif inside

ip address 192.168.3.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 67.94.68.123 255.255.255.248

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.100.1 255.255.255.0

access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log

access-list outside_access_in extended permit tcp any host ExternalMail eq https log

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

nat (dmz) 1 192.168.100.0 255.255.255.0 dns

static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

access-group outside_access_in in interface outside

Thanks All!

Andrew

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎09-24-2007 05:26 PM

Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.

no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

0 Helpful

andywang1
Level 1
Level 1
In response to acomiskey

‎09-26-2007 01:04 PM

I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?

Thanks!!

Andrew

0 Helpful

acomiskey
Level 10
Level 10
In response to andywang1

‎09-26-2007 03:09 PM

I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?

ip route 192.168.100.0 255.255.255.0 192.168.3.2

0 Helpful

andywang1
Level 1
Level 1
In response to acomiskey

‎09-26-2007 03:27 PM

I was only able to ping after adding this:

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?

I will try the iproute thing.

Thanks,

Andrew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card