Link to home
Create AccountLog in
Avatar of bdalton731
bdalton731

asked on

How to Add DMZ Network to existing ASA 5510 Config

New to DMZ config on asa and Can't Ping from inside network to dmz. Also, can't access dmz web server from outside.. DMZ web server is 192.168.210.100


cisco-asa-config-reviora-EE.txt
Avatar of djcapone
djcapone

A DMZ is no different than another "inside" interface in some ways.  You still need to define access-lists that define what traffic may enter the DMZ.

On a ASA, the ASA by default will allow traffic from a higher security interface (higher security-level number) to a lower security interface, but will drop traffic from a lower security interface to a higher security interface.  In the case of your config, this means traffic will be allowed from the inside interface to the DMZ, the inside to the outside, and from the DMZ outside.  However, unless specifically granted by the use of an access-list, traffic will be dropped from the outside interface to the DMZ, from the outside interface to the inside, and from the DMZ to the inside.

Add an access-list to allow traffic from the outside to the DMZ subnet that you want allowed and you should be all set.
ASKER CERTIFIED SOLUTION
Avatar of hossam82
hossam82

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of bdalton731

ASKER

Thanks for the response...I added the traffic sourced from Lan to DMZ in the NAT 0 ACL, but still can't ping 192.168.210.1 (DMZ Interface) from a client on the inside network 172.17.104.28. Any ideas why the pings are not going through?

clt-n-asa5510# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
clt-n-asa5510# sh run access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 172.17.104.0 255.255.248.0 1
72.17.110.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.17.104.0 255.255.248.0 1
72.17.103.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.104.0 255.255.255.0 1
72.17.103.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.104.0 255.255.255.0 1
72.17.110.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.17.104.0 255.255.255.0 1
92.168.210.0 255.255.255.0
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
you can't ping the firewall interface, ping is disabled by default. try to ping any server in DMZ from your LAN. firewall don't reply ping by default and this is highly recommended.

Regards,
Hossam