Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Inside Access to DMZ Server

Hello All!

I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.

So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)

I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.

Here's my config:

name 192.168.100.20 Mailbert ;real mail server address

name 67.94.68.124 ExternalMail

name 67.94.68.122 defaultexternal

name 192.168.3.61 InternalMail61

interface Vlan1

nameif inside

ip address 192.168.3.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 67.94.68.123 255.255.255.248

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.100.1 255.255.255.0

access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log

access-list outside_access_in extended permit tcp any host ExternalMail eq https log

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

nat (dmz) 1 192.168.100.0 255.255.255.0 dns

static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

access-group outside_access_in in interface outside

Thanks All!

Andrew

4 REPLIES
Green

Re: ASA 5505 Inside Access to DMZ Server

Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.

no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255

New Member

Re: ASA 5505 Inside Access to DMZ Server

I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?

Thanks!!

Andrew

Green

Re: ASA 5505 Inside Access to DMZ Server

I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?

ip route 192.168.100.0 255.255.255.0 192.168.3.2

New Member

Re: ASA 5505 Inside Access to DMZ Server

I was only able to ping after adding this:

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?

I will try the iproute thing.

Thanks,

Andrew

392
Views
0
Helpful
4
Replies