Solved: ASA and DMZ Setup

sgoethals1 · ‎05-13-2009

Hi Folks,

I am testing an ASA5510 configuration prior to implementation. Currently we use static NAT for a number of machines located on the inside network that we access from the outside. I use Access-lists to control what ports are opened up. Everything seems to work fine.

I know that in the near future, I will be asked to setup a DMZ and place some items there. So, I have been testing a simple configuration where I have one machine in the DMZ and I open up ports to it. I also setup static nat for the machine in the dmz.

Here's the problem. What I am finding is that I can only get one side to work at a time.

I have the followng statements in place, but when I view the config, only one of them is active. I am guessing that you can't have these statements applied to the same interface. If this is true, can someone tell me what I need to change.

access-group outside_access_in in interface outside

access-group outside_to_dmz in interface outside

As I said, only one statement seems to be saved. If I allow access to the inside, then I can't access the machine in the DMZ. If I allow the statement for the DMZ, then I can't access the machines on the inside network.

This seems to be the only hurdle I am facing with regards to getting this to work...I hope.

Any comments would be appreciated.

Jon Marshall · ‎05-13-2009

Scott

Just merge the 2 access-list together and use just the one ie.

take the entries from you outside_to_dmz acl and add them to your outside_access_in acl and then just apply the outside_access_in to the interface. This is a very standard thing to do.

Jon

View solution in original post

Collin Clark · ‎05-13-2009

Like IOS you can only apply a single ACL to an interface per direction. You can combine the ACE's into a single ACL though:

access-list outside_access ext permit tcp any host 75.50.95.72 eq http

access-list outside_access ext permit tcp any host 75.50.95.73 eq smtp

One IP can NAT to the DMZ server and the other can NAT to the internal server.

Hope that helps.

Jon Marshall · ‎05-13-2009

Scott

Just merge the 2 access-list together and use just the one ie.

take the entries from you outside_to_dmz acl and add them to your outside_access_in acl and then just apply the outside_access_in to the interface. This is a very standard thing to do.

Jon

sgoethals1 · ‎05-13-2009

Thanks, I will give it a try. Only one other questions. Do I need to change the STATIC entries for the machines in the DMZ.

Currently they are setup with

STATIC (dmz,outside) TEST 10.30.30.50 netmask 255.255.255.255

The machines on the inside network of course are setup as :

STATIC (inside,outside) inside_machine 192.168.0.100 netmask 255.255.255.255

I appreciate the help and suggestions. I will try your suggestion as soon as I can and let you know what happens.

Collin Clark · ‎05-13-2009

The first IP in the static should be the public IP, the second IP is the real internal IP address of the server.

static (dmz,outside) 75.50.95.72 10.30.30.50 netmask 255.255.255.255

static (inside,outside) 75.50.95.73 192.168.0.100 netmask 255.255.255.255

sgoethals1 · ‎05-14-2009

Thanks, but I had them setup properly. I use names instead of IP address for the outside, and that is what I was listing.

Thanks to all that replied..Everything is working fine now.