Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 5550 configuration

hi,

i have installed ASA 5550 , my inside interface is connected to 2960 switch, users in the network have their default gateway pointing to ip address of ASA inside interface.

my question is that i have placed my proxy server, NMS and FTP server on DMZ zone. How the traffic will flow for internet access. All the users are pointing to their Default gateway. how ASA will forward traffic to proxy and then proxy forward to the internet.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5550 configuration

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.

11 REPLIES
Hall of Fame Super Blue

Re: ASA 5550 configuration

Presumably you have the proxy server configured in the web browser on the client PC's ?

If so assuming

client vlan = 192.168.5.0/24

ASA inside interface = 192.168.5.1

DMZ vlan = 192.168.10.0/24

Proxy server = 192.168.10.2

User requests web page, browser sees it needs to send packet to proxy so client PC sends packet to ASA inside interface. ASA then forwards packet onto the proxy server on DMZ.

Proxy server then sends request to web site requested by client PC.

Jon

Community Member

Re: ASA 5550 configuration

hi,

For ASA to forward traffic to proxy, should we need some sort of static mapping or not.

OR

bydefault ASA forward traffic to proxy. And for proxy to communicate to internet what should i do.

Thanks

Re: ASA 5550 configuration

For all servers in DMZ to reach internet you can do this

nat(dmz) 5 0 0

global(Outside) 5 interface

Now check whether you are able to reach the proxy server from the inside LAN, if not then you need to configure NONAT for traffic from inside to DMZ.

Community Member

Re: ASA 5550 configuration

hi,

Thanks for your response. i would like to ask you should i need some kind of ACL for traffic returning from internet to the proxy server. how should i configure NONAT for traffic from inside to DMZ. Please give my some details i.e if acls are applied or not

Thanks

Re: ASA 5550 configuration

HI,

ACL is not required for the return traffic from internet.

Now, for inside to DMZ, please check if you are ableto access the proxy server.

You shoud be able to access becuase by default, nat-control is disabled.

Community Member

Re: ASA 5550 configuration

Thanks for your help.

Another thing which i want to know is that i have placed my mail server in DMZ too. what sort of configuration do i need on ASA so that mail server will communicate with internet as well as with the inside network.

Thanks

Re: ASA 5550 configuration

If suppose your Mail server in DMZ is 172.16.20.25 and the IP on the Outside interface is A.B.C.D, then configure NAT and ACL like this,

static (dmz,Outside) tcp A.B.C.D 25 172.16.20.25 25

access-list out-in permit tcp any host A.B.C.D eq 25

access-group out-in in interface Outside

Community Member

Re: ASA 5550 configuration

hi,

how my inside users will communicate with mail server.

Thanks

Re: ASA 5550 configuration

With the dmz IP - 172.16.20.25.

Community Member

Re: ASA 5550 configuration

Thanks for your reply.

ok, do i need to configure any ACL for inside users to communicate with web server in DMZ and web server to communicate with inside users.

Thanks

Re: ASA 5550 configuration

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.

682
Views
0
Helpful
11
Replies
CreatePlease to create content