Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
1
Replies

ASA 5510 with DMZ and proxies

Vladimir Bednikov
Level 1
Level 1

‎11-05-2018 11:31 PM - edited ‎02-21-2020 08:26 AM

Hi All,

 

I have a network set up and running for some time where we have an internal network that access the internet via a squid proxy. This high side proxy has two NICs, one connected to the internal network and one connected to the inside interface of the ASA 5510 (V8.2 ADSM 6.2). The outside interface of the ASA is then connected to a low side proxy which in turn is connected to the internet. This all works fine and have been running find for 4 years. We now have a need to have a web server on the DMZ so that both our clients and ourselves can access. We would still require accessing the web server from the inside network via out high side proxy. I am just not sure what is needed for this to work. The following is our current config.

 

interface Ethernet0/0
 description outside
 nameif outside
 security-level 0
 ip address 10.89.30.1 255.255.255.0
!
interface Ethernet0/1
 description dmz
 nameif dmz
 security-level 10
 ip address 10.89.40.1 255.255.255.0
!
interface Ethernet0/3
 description inside
 nameif inside
 security-level 100
 ip address 10.89.20.12 255.255.255.0
!
access-list inside_in remark Known proxy port.
access-list inside_in extended permit tcp any any eq 3128
access-list inside_in extended permit udp any any eq ntp
!  Following two allows email access on outside facing interface of the high side proxy
access-list inside_in extended permit tcp host 10.89.20.11 any eq smtp
access-list inside_in extended permit tcp host 10.89.20.11 any eq 587
access-list inside_in extended deny tcp any any eq smtp
access-list inside_in extended deny tcp any any eq 587
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
! route all outbound tracffic to asa facing interface of the low side proxy
route outside 0.0.0.0 0.0.0.0 10.89.30.12 1
! route all inbound traffic for the inside network to the asa facing interface of the high side proxy
route inside 10.89.10.0 255.255.255.0 10.89.20.11 1

On the high side proxy, I have modified the squid.conf to allow direct access to 10.89.40.0/24 which should not direct it to the low side proxy.

 

TIA,

Vlad

0 Helpful
1 Reply 1

Vladimir Bednikov
Level 1
Level 1

‎11-07-2018 08:05 PM

Hi All,

 

All fixed. The ASA part ended up being fairly simply to do. The configuration of the two proxies were a pain but all done now.

 

Vlad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card