Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
4
Replies

DMZ - Help

saquib.nawazz
Level 1
Level 1

‎08-07-2009 12:28 AM - edited ‎03-09-2019 10:30 PM

Hi,

Recently we purchased ASA 5510 and need you help to understand why from inside I am not able to see DMZ Server and outside.Physical connectivity is ok, reachability from ASA to DMZ is Ok.

Traffic is going to internet from ASA

is the ACL correct as per my need

outside to DMZ need ports 1080,1081,6588,80,3128

DMZ to oustide need ports smtp,5512,dns udp and tcp.

Inside to DMZ, local server 192.168.1.55 should only communicate to DMZ Server

Can get help

I have plugged the configuration

Labels:
Preview file
3 KB
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎08-07-2009 06:13 AM

I see a couple of things to fix. In the DMZ ACL you are permitting the traffic you want ot allow from the outside, but it is applied inbound to the DMZ interface. It should be applied to the outside interface. Same for the OUTSIDE ACL. I would rename them to make more sense; outside2dmz or outside_dmz. Second, you're missing NAT for traffic to get to the internet for both the inside and the DMZ. You're also missing NAT for DMZ to inside (if you require it). If you need help with configuring NAT, just shout.

0 Helpful

saquib.nawazz
Level 1
Level 1
In response to Collin Clark

‎08-07-2009 08:15 AM

Hi Clark,

ACL Outside is restricting traffic comming from Inside.

ACL DMZ is allowing traffic going out (Inside)

ACL INSIDE is restricting traffic going out ( DMZ or Internet ) which was removed as others was not working.

Can get help on missing config and NAT

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to saquib.nawazz

‎08-07-2009 12:46 PM

To NAT from DMZ and INSIDE to OUTSIDE

global (OUTSIDE) 1 interface

!--- This will use the OUTSIDE IP as PAT

nat (INSIDE) 1 192.168.1.0 255.255.255.0

!--- This is who should be NAT'd

nat (DMZ) 1 10.100.200.0 255.255.255.0

!--- This is who should be NAT'd

You don't need NAT from INSIDE to DMZ.

0 Helpful

saquib.nawazz
Level 1
Level 1
In response to Collin Clark

‎08-07-2009 10:30 PM

Thanks

I got this clear.

Is the ACL Ok.

Is PAT required if -

We have Squid(Proxy)on inside network which should only send http traffic outside on internal user behalf.

allow IPSEC for Cisco Client VPN Traffic from inside to outside

Rest all other traffic should be blocked from inside to outside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents