Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

DMZ - Help

Hi,

Recently we purchased ASA 5510 and need you help to understand why from inside I am not able to see DMZ Server and outside.Physical connectivity is ok, reachability from ASA to DMZ is Ok.

Traffic is going to internet from ASA

is the ACL correct as per my need

outside to DMZ need ports 1080,1081,6588,80,3128

DMZ to oustide need ports smtp,5512,dns udp and tcp.

Inside to DMZ, local server 192.168.1.55 should only communicate to DMZ Server

Can get help

I have plugged the configuration

4 REPLIES

Re: DMZ - Help

I see a couple of things to fix. In the DMZ ACL you are permitting the traffic you want ot allow from the outside, but it is applied inbound to the DMZ interface. It should be applied to the outside interface. Same for the OUTSIDE ACL. I would rename them to make more sense; outside2dmz or outside_dmz. Second, you're missing NAT for traffic to get to the internet for both the inside and the DMZ. You're also missing NAT for DMZ to inside (if you require it). If you need help with configuring NAT, just shout.

Community Member

Re: DMZ - Help

Hi Clark,

ACL Outside is restricting traffic comming from Inside.

ACL DMZ is allowing traffic going out (Inside)

ACL INSIDE is restricting traffic going out ( DMZ or Internet ) which was removed as others was not working.

Can get help on missing config and NAT

Re: DMZ - Help

To NAT from DMZ and INSIDE to OUTSIDE

global (OUTSIDE) 1 interface

!--- This will use the OUTSIDE IP as PAT

nat (INSIDE) 1 192.168.1.0 255.255.255.0

!--- This is who should be NAT'd

nat (DMZ) 1 10.100.200.0 255.255.255.0

!--- This is who should be NAT'd

You don't need NAT from INSIDE to DMZ.

Community Member

Re: DMZ - Help

Thanks

I got this clear.

Is the ACL Ok.

Is PAT required if -

We have Squid(Proxy)on inside network which should only send http traffic outside on internal user behalf.

allow IPSEC for Cisco Client VPN Traffic from inside to outside

Rest all other traffic should be blocked from inside to outside.

510
Views
0
Helpful
4
Replies
CreatePlease to create content