We help IT Professionals succeed at work.

ASA 5505 DMZ with Public address

I'm trying to set up a DMZ that is accessible via a public IP. I have a public static address that I would like to assign to an edge server. There will be only one server in the DMZ and will need to open certain ports to the inside vlan. I'm not sure where to get started. I have created a vlan for the DMZ and gave it a 10.0.1.1 address range. I think I need to use nat and access lists, but I don't quite understand the syntax to do so.

I'm currently using an ASA 5505 running 8.3 with a security plus license.

I'm pretty sure it's a simplish command I just don't know what it would be.

Thanks!
Comment
Watch Question

Top Expert 2011

Commented:
If you have only one public IP, you would need to assign it to ASA outside interface and configure your server with internal IP adress. Then you have to use static NAT to forward requests coming to public IP to internal server

Author

Commented:
I have two public IPs. One is already attached to the outside interface and I would like to forward to the DMZ.
Top Expert 2011

Commented:
Ok, you dont have to use your second address then

What is your ASA DMZ address?
Top Expert 2011

Commented:
And what are the ports you need to forward?

Author

Commented:
Is it possible to use my second address for the DMZ? It will be used for outlook web access so I believe I will need 25, 80, and 443.

Currently the asa DMZ address is 10.0.1.1 and the target is 10.0.1.10
Top Expert 2011

Commented:
Yes, sure, you can your second public ip for your server

The config should look like this:

object network dmz-webaccess

    host 10.0.1.10

    nat (dmz,any) static x.x.x.x


ip access-list outside_access_in permit tcp any host 10.0.1.10 eq smtp
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq www
ip access-list outside_access_in permit tcp any host 10.0.1.10 eq 443

access-group outside_access_in in interface outside
Top Expert 2011

Commented:
Forgot to add

x.x.x.x - your second public ip address
Top Expert 2011

Commented:
One more thing, sorry

nat (dmz,any) static x.x.x.x - WRONG

should be

nat (dmz,outside) static x.x.x.x

Author

Commented:
Great! I Think that should solve that issue.

One last question:

What is the command to get hosts in the DMZ to connect to the internet?
Top Expert 2011

Commented:
you mean to browse the internet?

Author

Commented:
Yes
Top Expert 2011

Commented:
Ok, you should go with

object network obj-10.0.1.0
   subnet 10.0.1.0 255.255.255.0
   nat (dmz,outside) dynamic x.x.x.x

Author

Commented:
Is the x.x.x.x the same as above?

It doesn't seem to be working. It gives me this warning when I issue the commands:

WARNING: Pool (x.x.x.x) overlap with existing pool.

x.x.x.x being the adress I'm using with the dmz
Top Expert 2011
Commented:
Oh, I thought you want to use either of these commands, not all together

You will need to change static nat then

object network dmz-webaccess   
 host 10.0.1.10   
 nat (dmz,outside) static x.x.x.x service tcp 80 80
  nat (dmz,outside) static x.x.x.x service tcp 25 25
nat (dmz,outside) static x.x.x.x service tcp 443 443



Dynamic NAT statement remains the same

Author

Commented:
Okay. That worked as well. I think this is the very last question...

I want to allow the 10.0.1.10 machine to allow connection from port 25 into an internal server. Every time I add an access rule to do so it stops communicating with the outside world.

I'm not quite sure why this is happening...
Top Expert 2011

Commented:
You mean you need communication from inside to dmz?

Author

Commented:
I'm kind of confused.

I have a server in the dmz. It needs to talk to another server on the inside network. I know I can access the machine in the dmz from the internal server, but is it possible to have the machine in the dmz initiate communication on port 25 to the machine inside the network?

Author

Commented:
I figured it out.

I had to add this to my dmz acl:

access-list <dmz-acl-name> permit tcp <dmz-subnet> <mask> host <exchange-server> eq <port-for-exchange>
access-list <dmz-acl-name> deny ip <dmz-subnet> <mask> <inside-subnet> <mask>
access-list <dmz-acl-name> permit ip <dmz-subnet> <mask> any

Thank you for your help!
Top Expert 2011

Commented:
Well done!