i have installed ASA 5550 , my inside interface is connected to 2960 switch, users in the network have their default gateway pointing to ip address of ASA inside interface.
my question is that i have placed my proxy server, NMS and FTP server on DMZ zone. How the traffic will flow for internet access. All the users are pointing to their Default gateway. how ASA will forward traffic to proxy and then proxy forward to the internet.
Solved! Go to Solution.
Presumably you have the proxy server configured in the web browser on the client PC's ?
If so assuming
client vlan = 192.168.5.0/24
ASA inside interface = 192.168.5.1
DMZ vlan = 192.168.10.0/24
Proxy server = 192.168.10.2
User requests web page, browser sees it needs to send packet to proxy so client PC sends packet to ASA inside interface. ASA then forwards packet onto the proxy server on DMZ.
Proxy server then sends request to web site requested by client PC.
For ASA to forward traffic to proxy, should we need some sort of static mapping or not.
bydefault ASA forward traffic to proxy. And for proxy to communicate to internet what should i do.
For all servers in DMZ to reach internet you can do this
nat(dmz) 5 0 0
global(Outside) 5 interface
Now check whether you are able to reach the proxy server from the inside LAN, if not then you need to configure NONAT for traffic from inside to DMZ.
Thanks for your response. i would like to ask you should i need some kind of ACL for traffic returning from internet to the proxy server. how should i configure NONAT for traffic from inside to DMZ. Please give my some details i.e if acls are applied or not
ACL is not required for the return traffic from internet.
Now, for inside to DMZ, please check if you are ableto access the proxy server.
You shoud be able to access becuase by default, nat-control is disabled.
Thanks for your help.
Another thing which i want to know is that i have placed my mail server in DMZ too. what sort of configuration do i need on ASA so that mail server will communicate with internet as well as with the inside network.
If suppose your Mail server in DMZ is 172.16.20.25 and the IP on the Outside interface is A.B.C.D, then configure NAT and ACL like this,
static (dmz,Outside) tcp A.B.C.D 25 172.16.20.25 25
access-list out-in permit tcp any host A.B.C.D eq 25
access-group out-in in interface Outside
Thanks for your reply.
ok, do i need to configure any ACL for inside users to communicate with web server in DMZ and web server to communicate with inside users.