• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2226
  • Last Modified:

ASA 5505 DMZ with Public address

I'm trying to set up a DMZ that is accessible via a public IP. I have a public static address that I would like to assign to an edge server. There will be only one server in the DMZ and will need to open certain ports to the inside vlan. I'm not sure where to get started. I have created a vlan for the DMZ and gave it a 10.0.1.1 address range. I think I need to use nat and access lists, but I don't quite understand the syntax to do so.

I'm currently using an ASA 5505 running 8.3 with a security plus license.

I'm pretty sure it's a simplish command I just don't know what it would be.

Thanks!
0
btebedo
Asked:
btebedo
  • 11
  • 8
1 Solution
 
fgasimzadeCommented:
If you have only one public IP, you would need to assign it to ASA outside interface and configure your server with internal IP adress. Then you have to use static NAT to forward requests coming to public IP to internal server
0
 
btebedoAuthor Commented:
I have two public IPs. One is already attached to the outside interface and I would like to forward to the DMZ.
0
 
fgasimzadeCommented:
Ok, you dont have to use your second address then

What is your ASA DMZ address?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
fgasimzadeCommented:
And what are the ports you need to forward?
0
 
btebedoAuthor Commented:
Is it possible to use my second address for the DMZ? It will be used for outlook web access so I believe I will need 25, 80, and 443.

Currently the asa DMZ address is 10.0.1.1 and the target is 10.0.1.10
0
 
fgasimzadeCommented:
Yes, sure, you can your second public ip for your server

The config should look like this:

object network dmz-webaccess

    host 10.0.1.10

    nat (dmz,any) static x.x.x.x


ip access-list outside_access_in permit tcp any host 10.0.1.10 eq smtp
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq www
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq 443

access-group outside_access_in in interface outside
0
 
fgasimzadeCommented:
Forgot to add

x.x.x.x - your second public ip address
0
 
fgasimzadeCommented:
One more thing, sorry

nat (dmz,any) static x.x.x.x - WRONG

should be

nat (dmz,outside) static x.x.x.x
0
 
btebedoAuthor Commented:
Great! I Think that should solve that issue.

One last question:

What is the command to get hosts in the DMZ to connect to the internet?
0
 
fgasimzadeCommented:
you mean to browse the internet?
0
 
btebedoAuthor Commented:
Yes
0
 
fgasimzadeCommented:
Ok, you should go with

object network obj-10.0.1.0
   subnet 10.0.1.0 255.255.255.0
   nat (dmz,outside) dynamic x.x.x.x
0
 
btebedoAuthor Commented:
Is the x.x.x.x the same as above?

It doesn't seem to be working. It gives me this warning when I issue the commands:

WARNING: Pool (x.x.x.x) overlap with existing pool.

x.x.x.x being the adress I'm using with the dmz
0
 
fgasimzadeCommented:
Oh, I thought you want to use either of these commands, not all together

You will need to change static nat then

object network dmz-webaccess   
 host 10.0.1.10   
 nat (dmz,outside) static x.x.x.x service tcp 80 80
  nat (dmz,outside) static x.x.x.x service tcp 25 25
nat (dmz,outside) static x.x.x.x service tcp 443 443



Dynamic NAT statement remains the same
0
 
btebedoAuthor Commented:
Okay. That worked as well. I think this is the very last question...

I want to allow the 10.0.1.10 machine to allow connection from port 25 into an internal server. Every time I add an access rule to do so it stops communicating with the outside world.

I'm not quite sure why this is happening...
0
 
fgasimzadeCommented:
You mean you need communication from inside to dmz?
0
 
btebedoAuthor Commented:
I'm kind of confused.

I have a server in the dmz. It needs to talk to another server on the inside network. I know I can access the machine in the dmz from the internal server, but is it possible to have the machine in the dmz initiate communication on port 25 to the machine inside the network?
0
 
btebedoAuthor Commented:
I figured it out.

I had to add this to my dmz acl:

access-list <dmz-acl-name> permit tcp <dmz-subnet> <mask> host <exchange-server> eq <port-for-exchange>
access-list <dmz-acl-name> deny ip <dmz-subnet> <mask> <inside-subnet> <mask>
access-list <dmz-acl-name> permit ip <dmz-subnet> <mask> any

Thank you for your help!
0
 
fgasimzadeCommented:
Well done!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now