Solved: DMZ Setup help...please

BEHowardGRDA · ‎09-25-2008

I am trying to get my DMZ functioning properly and need some assistance. I have the outsdie to the DMZ functioning as it should, but can't seem to get access working between the inside and the DMZ. I've tried using suggestions from previous posts to no avail. I'm thinking it has something to do with exemptions overlapping with my nat, etc., because with a clean config (no site-to-site VPN) it works fine...HELP! I've attached my config for reference.

singhsaju · ‎09-26-2008

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

View solution in original post

andrew.prince · ‎09-26-2008

try adding:-

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.100.1.0 255.255.255.0

HTH>

BEHowardGRDA · ‎09-26-2008

I tried your recommendation and it appears I may have to button hook the traffic back in now? My log doesn't show any traffic from my host to the DMZ host, and I no longer get the port map error I used to get.

singhsaju · ‎09-26-2008

For the traffic , inside to DMZ -> you need just NAT translation. i.e

nat (inside) 10 0.0.0.0 0.0.0.0

global (DMZ) 10 interface

For traffic from DMZ to Inside , you would need to open ports using access list.

access-list DMZ_access_in extended permit ip 10.100.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-group DMZ_access_in in interface DMZ

HTH

Saju

BEHowardGRDA · ‎09-26-2008

I tried to add the

nat (inside) 10 0.0.0.0 0.0.0.0, came back with "Duplicate NAT entry", since I have

nat (inside 1 0.0.0.0 0.0.0.0

Should drop the following?

nat (DMZ) 10 10.100.1.0 255.255.255.0

And add the ACL?

My logs show that the traffic hts the outside at 1.1.1.241, should that happen?

I greatly appreciate your help!

singhsaju · ‎09-26-2008

yes you do not need "nat (DMZ) 10 10.100.1.0 255.255.255.0 "

no nat (DMZ) 10 10.100.1.0 255.255.255.0

Yes add the access list including networks as you need .I just included directly connected networks to give you an example.

Also alongwith access-list you will also need Static statements if you want to access hosts in Inside zone .

Static(Inside,DMZ)

HTH

Saju

Pls rate helpful posts

BEHowardGRDA · ‎09-26-2008

Still no luck. I have attached a capture file, the session just doesn't seem to complete...

The capture was done on the ASA with the egress set to inside and the ingress set to DMZ.

singhsaju · ‎09-26-2008

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

BEHowardGRDA · ‎09-26-2008

I've been doing some trace routes and it appears to be a routing issue on the inside. Thanks for the help! If I run into something else I'll post again.

BEHowardGRDA · ‎09-26-2008

Ended up being ACL on an inside router blocking the traffic...explains the absence of dropped packets in the logs.

Thanks again!