Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
1
Replies

ASA5510 access from hosts on DMZ

mgiurgeu
Level 1
Level 1

‎01-05-2016 12:15 PM - edited ‎03-12-2019 12:06 AM

ASA5510 v8.3

- servers on the inside network are accessible from outside on select ports

- hosts on the dmz network can access anything on the Internet

- hosts on the dmz cannot access the servers on the inside network by using their public names

Here is the relevant config:

ASA Version 8.3(1)
!
interface Ethernet0/0
 nameif atria
 security-level 0
 ip address x.x.x.x y.y.y.y
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.0.0.254 255.0.0.0
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 75
 ip address 192.168.10.217 255.255.248.0
!
object network ts1
 host 192.168.0.118
object network bes
 host 192.168.0.20

object network ts1
 nat (inside,atria) static interface service tcp 3389 3389
object network bes
 nat (inside,atria) static interface service tcp https https

access-list outside-in extended permit tcp any object ts1 eq 3389
access-list outside-in extended permit tcp any object bes eq https

access-group outside-in in interface atria

route atria 0.0.0.0 0.0.0.0 216.16.243.153 1
route inside 192.168.102.0 255.255.255.0 192.168.0.250 1

policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map inside-policy
 class inside-class
  inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy inside-policy interface inside

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎01-05-2016 01:09 PM

The dmz interface has a lower security-level then inside. You need an ACL to allow traffic to the inside:

access-list dmz-in extended permit tcp any object ts1 eq 3389
access-list dmz-in extended permit tcp any object bes eq https
!
access-group dmz-in in interface dmz

With this config you should be able to reach the servers by their internal address. If you want to reach them by their public name, there are different ways to achieve that. My favorite way is to use an internal DNS also for the DMZ, and this internal DNS gives back the  internal IPs for the public names.

Edit: ASA version 8.3(1) was one of the worst versions ever on the ASA. To make sure that you don't run into too many problems, you should upgrade to the newest 8.4 release or even go up to the newest 9.1.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card