cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5060
Views
10
Helpful
38
Replies

Cisco ASA 5506 DMZ setup

Hello,

 

Am trying to setup a DMZ for a ASA 5506. At the moment we have 3 interfaces active on the ASA which are:

gi1/1 outside

gi1/2 inside

gi1/3 Voice

Voice has an internal ip with a pat on the outside interface with a public ip address from our range.

Now I want to setup the DMZ on gi1/4 also with a pat on the outside interface with a public ip address.

Have setup the interface with a internal ip address and connected a test pc on that interface with an ip address on the same range and as gateway the gi1/4 interface on the ASA. That should at least give me internet access. But that is not the case. Have followed a lot of configuration examples on the internet with google but all have failed to give me even internet access.

Hope you guys can help me out.

38 Replies 38

Yes nameif DMZ and security-level 20. Removed the configuration on the old interface and shut it down. Did a no shut on the new interface and it stays down down.

This is strange, suggest you to contact cisco TAC.



HTH
### RATE ALL HELPFUL RESPONSES ###

I already have a TAC opened with our supplier, am waiting on their response. Behaviour is very strange because all interfaces from gi1/5 to gi1/8 are showing the same error. Only gi1/4 will come to a up up state but will not communicate with the switch but will have connected links on the interfaces.

Have you checked show conn detail to make sure the connections are being forwarded between the correct interfaces?

Another thing to check is show xlate and make sure NAT is being seen correctly.

dont be too hung up in show arp at the moment.  Instead be more concerned with show mac. Are you seeing a mac address on that interface?

Lastly have you tried a reload?  It is possible that there are some processes that are hanging.

--
Please remember to select a correct answer and rate helpful posts

Hello Marius,

 

Yes the sh conn detailed only shows connections on the outside to the voice and inside networks. NAT is correct on the voice and inside network on the sh xlate. sh mac on the uplink interface of the switch to the ASA interface is not showing. Reload I have to coordinate because this ASA is production.

 

Ok, let us know if you are able to perform a reload of the ASA.  I have seen similar issues where traffic isnt passing, clear conn did nothing, but reload solved the issue. 

--
Please remember to select a correct answer and rate helpful posts

Thank you Marius, that did the trick. I now have normal connection on the dmz host and now can apply the acl to let the outside in on the DMZ.

Good to hear your problem is solved.
I was also thinking to ask you for reboot but after seeing the device is up for more than a year it will be hard to ask you for a reboot and also was not 100% sure that it will resolve your problem.

HTH
### RATE ALL HELPFUL RESPONSES ###

Also thanks for you help bhargavdesai, am now looking at the correct acl for http and https access. But that will be no problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: