09-20-2019 07:57 AM
Hello,
Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:
gi1/1 outside
gi1/2 inside
gi1/3 Voice
Voice has an internal ip with a pat on the outside interface with a public ip address from our range.
Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.
Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.
Hope you guys can help me out.
Solved! Go to Solution.
10-01-2019 04:54 AM
Yes nameif DMZ and security-level 20. Removed the configuration on the old interface and shut it down. Did a no shut on the new interface and it stays down down.
10-01-2019 05:02 AM
10-01-2019 05:40 AM
I already have a TAC opened with our supplier, am waiting on their response. Behaviour is very strange because all interfaces from gi1/5 to gi1/8 are showing the same error. Only gi1/4 will come to a up up state but will not communicate with the switch but will have connected links on the interfaces.
10-01-2019 05:59 AM
Have you checked show conn detail to make sure the connections are being forwarded between the correct interfaces?
Another thing to check is show xlate and make sure NAT is being seen correctly.
dont be too hung up in show arp at the moment. Instead be more concerned with show mac. Are you seeing a mac address on that interface?
Lastly have you tried a reload? It is possible that there are some processes that are hanging.
10-01-2019 06:10 AM
Hello Marius,
Yes the sh conn detailed only shows connections on the outside to the voice and inside networks. NAT is correct on the voice and inside network on the sh xlate. sh mac on the uplink interface of the switch to the ASA interface is not showing. Reload I have to coordinate because this ASA is production.
10-01-2019 06:14 AM
Ok, let us know if you are able to perform a reload of the ASA. I have seen similar issues where traffic isnt passing, clear conn did nothing, but reload solved the issue.
10-01-2019 06:30 AM
Thank you Marius, that did the trick. I now have normal connection on the dmz host and now can apply the acl to let the outside in on the DMZ.
10-01-2019 08:32 AM
10-01-2019 11:53 PM
Also thanks for you help bhargavdesai, am now looking at the correct acl for http and https access. But that will be no problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide