Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ to inside ASA 8.4/ASDM 6.4

Hello guys,

This is my first post so please forgive me if this has already been answered in the forum.

I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?

Many thanks for any help.

/Slipz

Everyone's tags (2)
10 REPLIES
Silver

DMZ to inside ASA 8.4/ASDM 6.4

Where are the wireless users? Inside or in DMZ zone?

Siddhartha
New Member

DMZ to inside ASA 8.4/ASDM 6.4

Thanks for your reply siddhartham. The wireless users are in the DMZ zone.

DMZ to inside ASA 8.4/ASDM 6.4

Hello,

you will need to allow that traffic into the DMZ access-list

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 443

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 25

access-group dmz in interface dmz

Regards,

DO rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

DMZ to inside ASA 8.4/ASDM 6.4

Thanks for your reply. I will try this later but I'm not sure that I can achieve this with an access-list only. I'll post details later.

DMZ to inside ASA 8.4/ASDM 6.4

Hello,

As you asked just for an ACL, I thought you already had the NAT.

Lets say the ip address of the Inside server is 10.10.10.2 and the DMZ subnet is 192.168.12.0

You want to nat the Inside server on the DMZ to 192.168.12.3

Here is what you need

object network Inside_server

host 10.10.10.2

object network DMZ_Server_global

host 192.168.12.3

nat (inside,dmz) source static  Inside_server  DMZ_Server_global

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 443

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 25

Do rate all the helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

DMZ to inside ASA 8.4/ASDM 6.4

Many thanks jcarvaja for the update. I'll test this out tonight and post details.

Best regards,

Eric

DMZ to inside ASA 8.4/ASDM 6.4

Hello Eric,

My pleasure, I will be more than glad to help.

Regards,

Do rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Highlighted
New Member

DMZ to inside ASA 8.4/ASDM 6.4

Hi jcarvaja,

Thanks again but your suggested solution does not appear to work.

Just to clarify:

1. We do not have any servers on the dmz network. All we use that for is allow connections from smart phones through a wireless access point out to the internet.

2. The smartphones are able to access the internet but cannot access the public address of the Exchange server. We need to be able to allow ssl access only (from all mobile devices on the dmz) to the exchange public interface.

Found the following link which highlights a similar scenario but I'm not sure if the commands will work for ASA 8.4

https://supportforums.cisco.com/thread/2124287

.. appreciate any further help.

/Slipz

DMZ to inside ASA 8.4/ASDM 6.4

Hi Eric,

First thing u may need to have an acl created for dmz zone to permit https from dmz zone subnet to email server.

Also you need to check on the routing if any infra present in the inside zone.

access-list permit tcp host eq https

access-list deny ip any any

Check if there is any hits when you try to access web mail through mobiles. If hits present for that... then you may need to check on the routing and other stuffs related to dmz.

Please let me know if this helps...

New Member

DMZ to inside ASA 8.4/ASDM 6.4

Greetings All,

Did a search on Google for a problem that sounds much like this one and found this thread. Did the above fix the problem? I'm not quite clear where the ACL was applied if the public addresses are not on an interface. I have the same situation; public IPs are defined in the NAT rules, but not associated with an interface. Thanks.

5439
Views
5
Helpful
10
Replies
CreatePlease login to create content