ASA 8.0(3)6 DMZ configuration example?

ASA.M.Oss · ‎05-24-2016

Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I've learned that there was a major CLI syntax change with a the 8.3 firmware.

Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:

inside 192.168.10.1 255.255.255.0
outside 1.2.3.4 255.255.255.0 (example...)
DMZ 172.28.0.1 255.255.255.0

The DMZ has one host, a web server at 172.28.0.15

I have three objectives to implement:
- to allow all outside IP addresses to access the web server at 172.28.0.15
- to translate all traffic from the outside interface 1.2.3.4 to the web server at 172.28.0.15 (at least port 80 and 443)
- to allow all inside IP addresses from the 192.168.10.0 network to access the web server at 172.28.0.15

Can anyone assist & support with the appropriate 8.0 CLI syntax?

Any help would be very much appreciated...
Mario

Aditya Ganjoo · ‎05-24-2016

Hi Mario,

static (dmz,outside) tcp interface 80 172.28.0.15 80

static (dmz,outside) tcp interface 443 172.28.0.15 443

For inside users you can use a NONAT statement:

access-list NAT_EXEMPT extended permit ip host 172.28.0.15 192.168.10.0 255.255.255.0

nat (dmz) 0 access-list NAT_EXEMPT outside

Regards,

Aditya

Please rate helpful posts and mark correct answers.

ASA.M.Oss · ‎05-24-2016

Hi Aditya,

thank you so much for your support, I'll give it a try in the next hour.

You wrote:

For inside users you can use a NONAT statement:

access-list NAT_EXEMPT extended permit ip host 172.28.0.15 192.168.10.0 255.255.255.0

nat (dmz) 0 access-list NAT_EXEMPT outside

I just want to make sure that "outside" is the correct interface to bind the access-list NAT_EXEMPT to?

Thanks again,

Mario