Re: ASA 5510: Want to have traffic between Web, DMZ and Inside N

risenshine4th · ‎10-20-2008

I've attached a clean copy of my config.

I've used the 172.x.x.x and 192.x.x.x to limit visibility.

Im trying to allow typical traffic form inside network to the DMZ, traffic from the Web sites to the DMZ, and Traffic out of the DMZ to both Internal and Web.

My only success appears to be able to browse the Internet/Web from from both the DMZ servers and the Inside network.

I'm trying to map traffic from

172.16.1.8 --->192.168.0.8 Inside

172.16.1.24 --->192.168.0.24 Inside DNS

172.16.1.207 --->192.168.154.7 DMZ

172.16.1.135 --->192.168.154.6 DMZ http, domain(DNS)

--->192.168.0.4 Inside https, smtp

172.16.1.136 --->192.154.6 DMZ http,https

Config is working on an old Netscreen 10.

Any help is appreciated.

risenshine4th · ‎10-20-2008

172.16.1.135 --->192.168.154.6 DMZ http, domain(DNS)

172.16.1.135--->192.168.0.4 Inside https, smtp

This one doesn't allow Nat of more than one of the same host IP.

risenshine4th · ‎10-20-2008

I have updated my configuration.

I question wether or not the outside NAT rules would conflict with the inside and DMZ rules?

I figure one way to overcome the access barrier between the DMZ and Inside is to set the security level of the interfaces to the same level and enable the same level checkbox.

I'd rather keep the interfaces on different levels.

Can anyone confirm a problem with my configuration/rules?

I have used http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html

(I've tried adding the 10.10.10.0..static rulewithout success. I suspect something is missing here as this document hides details in the screen shots.)

risenshine4th · ‎10-30-2008

Could the LAN to DMZ traffic be a license issue?

columoconnor · ‎06-01-2009

you need a access-list applied to dmz int in to allow dmz to inside

ASA 5510: Want to have traffic between Web, DMZ and Inside Network