[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 5505 DMZ with Public address

Posted on 2012-08-14
19
Medium Priority
?
2,181 Views
Last Modified: 2012-08-16
I'm trying to set up a DMZ that is accessible via a public IP. I have a public static address that I would like to assign to an edge server. There will be only one server in the DMZ and will need to open certain ports to the inside vlan. I'm not sure where to get started. I have created a vlan for the DMZ and gave it a 10.0.1.1 address range. I think I need to use nat and access lists, but I don't quite understand the syntax to do so.

I'm currently using an ASA 5505 running 8.3 with a security plus license.

I'm pretty sure it's a simplish command I just don't know what it would be.

Thanks!
0
Comment
Question by:btebedo
  • 11
  • 8
19 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38294971
If you have only one public IP, you would need to assign it to ASA outside interface and configure your server with internal IP adress. Then you have to use static NAT to forward requests coming to public IP to internal server
0
 

Author Comment

by:btebedo
ID: 38295810
I have two public IPs. One is already attached to the outside interface and I would like to forward to the DMZ.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38295838
Ok, you dont have to use your second address then

What is your ASA DMZ address?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 38295849
And what are the ports you need to forward?
0
 

Author Comment

by:btebedo
ID: 38295891
Is it possible to use my second address for the DMZ? It will be used for outlook web access so I believe I will need 25, 80, and 443.

Currently the asa DMZ address is 10.0.1.1 and the target is 10.0.1.10
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38295956
Yes, sure, you can your second public ip for your server

The config should look like this:

object network dmz-webaccess

    host 10.0.1.10

    nat (dmz,any) static x.x.x.x


ip access-list outside_access_in permit tcp any host 10.0.1.10 eq smtp
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq www
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq 443

access-group outside_access_in in interface outside
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38295958
Forgot to add

x.x.x.x - your second public ip address
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38295963
One more thing, sorry

nat (dmz,any) static x.x.x.x - WRONG

should be

nat (dmz,outside) static x.x.x.x
0
 

Author Comment

by:btebedo
ID: 38296009
Great! I Think that should solve that issue.

One last question:

What is the command to get hosts in the DMZ to connect to the internet?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38296022
you mean to browse the internet?
0
 

Author Comment

by:btebedo
ID: 38296030
Yes
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38299300
Ok, you should go with

object network obj-10.0.1.0
   subnet 10.0.1.0 255.255.255.0
   nat (dmz,outside) dynamic x.x.x.x
0
 

Author Comment

by:btebedo
ID: 38300482
Is the x.x.x.x the same as above?

It doesn't seem to be working. It gives me this warning when I issue the commands:

WARNING: Pool (x.x.x.x) overlap with existing pool.

x.x.x.x being the adress I'm using with the dmz
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 2000 total points
ID: 38300626
Oh, I thought you want to use either of these commands, not all together

You will need to change static nat then

object network dmz-webaccess   
 host 10.0.1.10   
 nat (dmz,outside) static x.x.x.x service tcp 80 80
  nat (dmz,outside) static x.x.x.x service tcp 25 25
nat (dmz,outside) static x.x.x.x service tcp 443 443



Dynamic NAT statement remains the same
0
 

Author Comment

by:btebedo
ID: 38301068
Okay. That worked as well. I think this is the very last question...

I want to allow the 10.0.1.10 machine to allow connection from port 25 into an internal server. Every time I add an access rule to do so it stops communicating with the outside world.

I'm not quite sure why this is happening...
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38301095
You mean you need communication from inside to dmz?
0
 

Author Comment

by:btebedo
ID: 38301135
I'm kind of confused.

I have a server in the dmz. It needs to talk to another server on the inside network. I know I can access the machine in the dmz from the internal server, but is it possible to have the machine in the dmz initiate communication on port 25 to the machine inside the network?
0
 

Author Comment

by:btebedo
ID: 38301669
I figured it out.

I had to add this to my dmz acl:

access-list <dmz-acl-name> permit tcp <dmz-subnet> <mask> host <exchange-server> eq <port-for-exchange>
access-list <dmz-acl-name> deny ip <dmz-subnet> <mask> <inside-subnet> <mask>
access-list <dmz-acl-name> permit ip <dmz-subnet> <mask> any

Thank you for your help!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38301731
Well done!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question