Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
2
Replies

ASA 5520 NAT and DMZ/inside network configuration

Go to solution
peterpark421
Level 1
Level 1

‎01-28-2013 12:44 PM - edited ‎03-11-2019 05:53 PM

I am trying to configure a server(192.168.5.50) in DMZ(192.168.5.0/24) to be able to communicate with a domain controller(10.5.44.220) in the inside network(10.5.44.0/24). I made some configuration using ASDM(not familiar with the CLI) but not working and it caused existing NAT not to work, for example RDP(TCP 3389) connection to 38.96.179.220

The things I am trying to achieve are

1. two way commucation between 192.168.5.50 in DMZ and 10.5.44.220 in Inside for SecureAuthPorts and SecureAuthOutbound service groups

2. NAT for 192.168.5.50 mapping 38.96.179.50 for the service groups mentioned above

3. NAT for other hosts already exisiting

I attached the running configuration file and hope someone could help me with this. Thank you guys in advance for helps.

Labels:
142204-ASA_01282013.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-28-2013 05:39 PM

1. I would suggest that you only have the "in" ACL, instead of both "in" and "out" ACL applied to the interface.

So please remove the following:

no access-group inside_access_out out interface inside

no access-group DMZ_access_out out interface DMZ

Then the DMZ hosts should be able to communicate with the inside network.

Also you would need to use the private address (10.5.44.x) instead of the public address to access it from the DMZ hosts.

You also don't need to configure the following so it can also be removed:

no nat (DMZ) 0 access-list DMZ_nat0_outbound

2. To configure NAT for those, you should just do 1:1 NAT and configure access using ACL:

static (DMZ,outside) 38.96.179.50 192.168.5.50 netmask 255.255.255.255

Also, from what i can see SecureAuthPorts, is basically opening up most ports, doesn't sound very secure   Are you sure you would like inbound access for all those ports?

3. For NAT in the DMZ:

nat (dmz) 101 192.168.5.0 255.255.255.0

Then you would need to configure ACL on the existing "DMZ_access_in" for the access that you would like to allow to the internet.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-28-2013 05:39 PM

1. I would suggest that you only have the "in" ACL, instead of both "in" and "out" ACL applied to the interface.

So please remove the following:

no access-group inside_access_out out interface inside

no access-group DMZ_access_out out interface DMZ

Then the DMZ hosts should be able to communicate with the inside network.

Also you would need to use the private address (10.5.44.x) instead of the public address to access it from the DMZ hosts.

You also don't need to configure the following so it can also be removed:

no nat (DMZ) 0 access-list DMZ_nat0_outbound

2. To configure NAT for those, you should just do 1:1 NAT and configure access using ACL:

static (DMZ,outside) 38.96.179.50 192.168.5.50 netmask 255.255.255.255

Also, from what i can see SecureAuthPorts, is basically opening up most ports, doesn't sound very secure   Are you sure you would like inbound access for all those ports?

3. For NAT in the DMZ:

nat (dmz) 101 192.168.5.0 255.255.255.0

Then you would need to configure ACL on the existing "DMZ_access_in" for the access that you would like to allow to the internet.

Hope that helps.

0 Helpful

Go to solution
peterpark421
Level 1
Level 1
In response to Jennifer Halim

‎01-29-2013 11:18 AM

Thanks you so much, Jennifer. #1 suggestion was exactly right and it solved the issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card