btebedo
asked on
ASA 5505 DMZ with Public address
I'm trying to set up a DMZ that is accessible via a public IP. I have a public static address that I would like to assign to an edge server. There will be only one server in the DMZ and will need to open certain ports to the inside vlan. I'm not sure where to get started. I have created a vlan for the DMZ and gave it a 10.0.1.1 address range. I think I need to use nat and access lists, but I don't quite understand the syntax to do so.
I'm currently using an ASA 5505 running 8.3 with a security plus license.
I'm pretty sure it's a simplish command I just don't know what it would be.
Thanks!
I'm currently using an ASA 5505 running 8.3 with a security plus license.
I'm pretty sure it's a simplish command I just don't know what it would be.
Thanks!
If you have only one public IP, you would need to assign it to ASA outside interface and configure your server with internal IP adress. Then you have to use static NAT to forward requests coming to public IP to internal server
ASKER
I have two public IPs. One is already attached to the outside interface and I would like to forward to the DMZ.
Ok, you dont have to use your second address then
What is your ASA DMZ address?
What is your ASA DMZ address?
And what are the ports you need to forward?
ASKER
Is it possible to use my second address for the DMZ? It will be used for outlook web access so I believe I will need 25, 80, and 443.
Currently the asa DMZ address is 10.0.1.1 and the target is 10.0.1.10
Currently the asa DMZ address is 10.0.1.1 and the target is 10.0.1.10
Yes, sure, you can your second public ip for your server
The config should look like this:
object network dmz-webaccess
host 10.0.1.10
nat (dmz,any) static x.x.x.x
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq smtp
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq www
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq 443
access-group outside_access_in in interface outside
The config should look like this:
object network dmz-webaccess
host 10.0.1.10
nat (dmz,any) static x.x.x.x
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq smtp
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq www
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq 443
access-group outside_access_in in interface outside
Forgot to add
x.x.x.x - your second public ip address
x.x.x.x - your second public ip address
One more thing, sorry
nat (dmz,any) static x.x.x.x - WRONG
should be
nat (dmz,outside) static x.x.x.x
nat (dmz,any) static x.x.x.x - WRONG
should be
nat (dmz,outside) static x.x.x.x
ASKER
Great! I Think that should solve that issue.
One last question:
What is the command to get hosts in the DMZ to connect to the internet?
One last question:
What is the command to get hosts in the DMZ to connect to the internet?
you mean to browse the internet?
ASKER
Yes
Ok, you should go with
object network obj-10.0.1.0
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) dynamic x.x.x.x
object network obj-10.0.1.0
subnet 10.0.1.0 255.255.255.0
nat (dmz,outside) dynamic x.x.x.x
ASKER
Is the x.x.x.x the same as above?
It doesn't seem to be working. It gives me this warning when I issue the commands:
WARNING: Pool (x.x.x.x) overlap with existing pool.
x.x.x.x being the adress I'm using with the dmz
It doesn't seem to be working. It gives me this warning when I issue the commands:
WARNING: Pool (x.x.x.x) overlap with existing pool.
x.x.x.x being the adress I'm using with the dmz
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay. That worked as well. I think this is the very last question...
I want to allow the 10.0.1.10 machine to allow connection from port 25 into an internal server. Every time I add an access rule to do so it stops communicating with the outside world.
I'm not quite sure why this is happening...
I want to allow the 10.0.1.10 machine to allow connection from port 25 into an internal server. Every time I add an access rule to do so it stops communicating with the outside world.
I'm not quite sure why this is happening...
You mean you need communication from inside to dmz?
ASKER
I'm kind of confused.
I have a server in the dmz. It needs to talk to another server on the inside network. I know I can access the machine in the dmz from the internal server, but is it possible to have the machine in the dmz initiate communication on port 25 to the machine inside the network?
I have a server in the dmz. It needs to talk to another server on the inside network. I know I can access the machine in the dmz from the internal server, but is it possible to have the machine in the dmz initiate communication on port 25 to the machine inside the network?
ASKER
I figured it out.
I had to add this to my dmz acl:
access-list <dmz-acl-name> permit tcp <dmz-subnet> <mask> host <exchange-server> eq <port-for-exchange>
access-list <dmz-acl-name> deny ip <dmz-subnet> <mask> <inside-subnet> <mask>
access-list <dmz-acl-name> permit ip <dmz-subnet> <mask> any
Thank you for your help!
I had to add this to my dmz acl:
access-list <dmz-acl-name> permit tcp <dmz-subnet> <mask> host <exchange-server> eq <port-for-exchange>
access-list <dmz-acl-name> deny ip <dmz-subnet> <mask> <inside-subnet> <mask>
access-list <dmz-acl-name> permit ip <dmz-subnet> <mask> any
Thank you for your help!
Well done!