Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
34
Helpful
17
Replies

ASA Need expert review..Nat Problems with DMZ, inside, outside.

Go to solution
risenshine4th
Level 1
Level 1

‎11-05-2008 07:06 AM - edited ‎03-11-2019 07:08 AM

I am trying to fix a similar situation.

I need the "Masters" to review my configs so I can share the knowledge.

I can get to the Internet from the DMZ and the inside interfaces.

I'm trying to allow the inside interface to be able to access anything in the DMZ.

I would like to be able to browse the webpages.

Also I am trying to allow remote desktop into the DMZ...I want to keep the DMZ limited to the access rules and ports defines.

I've got several public IPs that go to go to the DMZ and Inside depending on the port and service.

I've attached a clean detailed config.

Labels:
Preview file
9 KB
0 Helpful
17 Replies 17

Go to solution
risenshine4th
Level 1
Level 1
In response to husycisco

‎11-14-2008 11:48 AM

I found that more than one firewall existed on one of my testing PC's. I ruled this out.

I am still unable to pass traffic as desired.

The dmz should accept inside traffic by default. I think that the dmz isn't allowing traffic back to the inside. I even created a simple configure with the same results.

I made the security levels of the dmz and inside to the same level. I can now ping and pass traffic back and forth.

I suspect using outbound ACL's on the DMZ is a way to restrict the access.

I'd like to keep the levels different.

I'm rating previous posts and pose the question of why traffic won't pass?

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to risenshine4th

‎11-14-2008 12:41 PM

My first thought is to cut back on your ACLs

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

I would take all of the ones that are outbound off, leaving only the inbound access lists.

When you did your statics, did you clear your xlate table? (clear xlate ) Generally the port translation error comes from the translation not being recognized, and you have to clear the table, or reboot the device, before they'll be seen.

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
risenshine4th
Level 1
Level 1
In response to John Blakley

‎11-14-2008 01:06 PM

I have been using a combination of the ASDM and the ASDM CLI. It appears that I was missing an ACL even though the Access rule was created and should have created an ACE.

Access rule existed without any ACL.

I recommend using just one or the other to configure. The ASDM seems to miss creating things. The CLI appears to be the best way to avoid this.

access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0

Access rule existed without any ACL.

permit ip 192.168.0.0 255.255.255.0 any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card