07-12-2014 06:09 AM - edited 03-11-2019 09:27 PM
Hi,
I have ASA 5510 8.4 with the following interfaces:
inside -------------->192.168.1.0/24 (sec-level=100)
DMZ -------------->192.168.2.0/24 (sec-level=50)
outside ------------->192.168.3.0/24 (sec-level=0)
my isp nat the public ip x.x.x.x to 192.168.3.10
in the dmz i have exchange server (192.168.2.10)
1- what is the configuration to allow both inside and dmz get access to internet
2- what is the configuration to receive emails from internet
3- how i can allow access from dmz to inside network ????
thnks
Solved! Go to Solution.
07-12-2014 03:54 PM
LA-Engineer (and tareken87):
An outside default route would point to the next hop gateway, not the interface itself.
There's no need for an access-list on the inside as it will permit any traffic to all lower security interfaces by default.
If you allow DMZ access to ip any any (including the inside) then you defeat the whole purpose of having a DMZ. One should analyze the required protocols host and ports for DMZ-Inside and allow only those in the access-list.
07-12-2014 07:09 AM
Hi ,
share existing show run configuration from your ASA
HTH
Sandy
07-12-2014 11:13 AM
If you have the IP addresses already configured then the first thing you'll need to do is configure a default route.
route outside 0.0.0.0 0.0.0.0 192.168.3.10
Then, you may need to nat your inside and dmz to our outside ip address.
nat (inside,outside) source dynamic any interface
nat (DZM,outside) source dynamic any interface
Then, you'll need to permit it in the interface access-llist if you have one configured:
access-list inside_access_in permit ip any any
access-list DMZ_access_in permit ip any any ! this permits DMZ to inside as well.
Then, you may need to configure inspection if you havent already.
07-12-2014 03:54 PM
LA-Engineer (and tareken87):
An outside default route would point to the next hop gateway, not the interface itself.
There's no need for an access-list on the inside as it will permit any traffic to all lower security interfaces by default.
If you allow DMZ access to ip any any (including the inside) then you defeat the whole purpose of having a DMZ. One should analyze the required protocols host and ports for DMZ-Inside and allow only those in the access-list.
07-12-2014 06:06 PM
tarekaen87, sorry, I mistook that for the next hop. Yes, you would obviously need to set it to the next hop gateway.. not itself. The next-hop gateway will be the ISP router's IP address (192.168.3.x).
Marvin is right.. if you have one configured the traffic will need to be permitted in the ACL. If not then you don't. Some organizations like to control what traffic is allowed from one zone into another regardless of the security level. The point is, you'll need to allow the traffic if you do have an ACL configured. Otherwise, traffic will be allowed from higher security to lower security by default. So for the DMZ to Inside access, you need to just permit the traffic that you want. If you want all traffic then you will permit any. Otherwise, specify the source and destination IP/ports in your ACL entries.
I hope that helps. Let me know if any of this doesn't make sense.
07-13-2014 02:21 AM
Depending on all your replies , I will write command as I understand and kindly correct me if I am wrong:
interface ethernet 0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface ethernet 0/2
nameif dmz
security-level 50
ip address 192.168.2.2 255.255.255.0
interface ethernet 0/3
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.3.1
object-network pat_to_interface
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic pat_to_interface interface
object network mail_server
host 192.168.2.10
nat (dmz,outside) static 192.168.3.10
access list outside_TO_dmz extend permit tcp any host 192.168.2.10 eq 25
access- group outside_TO_dmz in interface outside
access list dmz_TO_inside extend permit tcp host 192.168.2.10 host 192.168.1.11 eq 53
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide