Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
3
Replies

Routing to public DMZ

Skigutane
Level 1
Level 1

‎12-12-2007 10:37 AM - edited ‎03-09-2019 07:37 PM

Hello.

I have set up ASA 5510 for our our network. It works fine for our network.

Now I need a way to set up the DMZ with public adresses.

The outside is a x.x.214.4 / 30 network, outside ASA ip is x.x.214.6.

For internal mail server, rd, ftp etc we have got a new network. This is y.y.251.192 / 29.

My problem is to get this working. I have some experience (MCSE), but my logic is not working with the ASA. Since it is ages since I have been programming Cisco through command line commands, i have only been using the ASDM.

Hope someone could help me. The traffic (web, mail, ftp etc) from inside (LAN) to outside is working fine. Also has problem getting traffic from DMZ to inside.

Outside security level is 0, dmz is 50, inside is 100. H E L P!

Labels:
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎12-12-2007 10:59 AM

To get traffic from dmz to inside...let's say your inside network is 192.168.1.0/24.

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then add the following acl to allow whatever traffic you desire from dmz to inside. This example is for www. Just add whatever access you desire before the "deny ip any 192.168.1.0" line.

access-list dmz-to-inside permit tcp any host x.x.x.x eq www

access-list dmz-to-inside deny ip any 192.168.1.0 255.255.255.0

access-list dmz-to-inside permit ip any any

access-group dmz-to-inside in interface dmz

0 Helpful

Skigutane
Level 1
Level 1
In response to acomiskey

‎12-13-2007 02:06 AM

Thanks, I now have access to my mail from inside!

The next step is to allow https, pop3 and smtp to and from outside.

Is it access-list dmz-to-outside permit tcp any x.x.x.x https

access-list dmz-to-outside permit tcp any x.x.x.x pop3

access-list dmz-to-outside permit tcp any x.x.x.x smtp

access-list dmz-to-outside deny ip any 0.0.0.0 0.0.0.0

?

0 Helpful

acomiskey
Level 10
Level 10
In response to Skigutane

‎12-13-2007 06:11 AM

access-list outside_access_in permit tcp any x.x.x.x https

access-list outside_access_in permit tcp any x.x.x.x pop3

access-list outside_access_in permit tcp any x.x.x.x smtp

access-list outside_access_in deny ip any any

access-group outside_access_in in interface outside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents