09-25-2008 03:05 AM
I am having some issue on my ASA 5510 which I just configured. I have created inside users,DMZ(for my 3 servers:ISA,Exchange and WEB Client Sage)and outside interfaces. I have a router facing the internet.
Here is what I want to achieve:
1. inside user to access the servers in the dmz and vice versa.
2. inside user MUST go to the internet via ISA which is in the DMZ.
3. The servers in the DMZ have both public and private addresses but I want to do a 2 layer nat: one on the ASA and the other on the router facing the internet.
4. I want all the 3 servers to go to the internet with their respective public addresses.
5. I want users on the internet to access the servers in the DMZ only.
Someone should please help me out with the commands to achieve each task(Please I want a tested commands).
Thanks alot.
09-25-2008 03:25 AM
let say inside network is
10.1.1.0/24
DMZ 192.168.1.0/24
1. inside user to access the servers in the dmz and vice versa
A:
static (inside, DMZ) 192.168.1.0 10.1.1.0 netmask 255.255.255.0
access-list 100 pemir ip 192.168.1.0 255.255.255.0 10.1.1.0 255.25.255.0
access-group 100 in interface DMZ
2. inside user MUST go to the internet via ISA which is in the DMZ.
lets say isa ip is 192.168.1.10/25
route DMZ 0.0.0.0 0.0.0.0 192.168.1.10
but u need to make the NAT/PAT on the internet edge (ur router or on ISA)
till now ok
after that
i wanna know u wanna use ur ASA as onstick device
i mean u want the traffic to go to isa and then back to asa then go to the router then internet ???
i think if u put ASA and ISA back to back better and make the DMZ in between like:
inside---ASA---DMZ--ISA--router--internet
if helpful Rate
and let me know as well
09-25-2008 03:57 AM
Thanks for your reply, one of the reason for bringing the ASA is to secure those 3 servers since they are being accessed from outside. The alternative I have is to put a 2nd leg on the ISA which will connect to the inside switch.
As per your question: I want traffice coming from the inside to go to isa in the dmz and go out to the internet.
If you have any other design, please kindly let me know,thanks once again.
09-25-2008 04:03 AM
as i mentioned
u can use it like
inisde--asa--outside---isa--router--internet
this way u will have to layers of security
and u can use the cacheing on the ISA and we filtering as well
on asa u can do more packet feltering and other inspections as well
and the servers u can put them on the lan between ASA and ISA
or make a DMZ on the ASA and put them their
hop this helpful
09-25-2008 08:49 AM
I prefer to stay with my current design can u please help me with the configs that pertain to my requirements.
Thanks
09-25-2008 07:09 PM
ok just give me exact desecrption of the traffic path from the insde to the internet and from internet to inside and DMZ
and where u prefere static nating as well
09-26-2008 12:19 PM
Here is what I want to achieve in terms of how traffic should flow:
1. inside user to access the servers in the dmz and vice versa.
2. inside user MUST go to the internet via ISA which is in the DMZ.
3. The servers in the DMZ have both public and private addresses but I want to do a 2 layer nat: one on the ASA and the other on the router facing the internet.
4. I want all the 3 servers to go to the internet with their respective public addresses.
5. I want users on the internet to access the servers in the DMZ only.
Please kindly give me the command that will make me achieve each step.
Thanks.
09-26-2008 06:11 PM
ok everything is very clear only one more thing
2. inside user MUST go to the internet via ISA which is in the DMZ
is that mean ISA has a link to the internet router ?
just point me out about this one i got confused about it
if u have simple drawing will be excelnt
and how many public IP u have ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: