11-10-2009 02:12 AM - edited 03-11-2019 09:38 AM
I have a Cisco ASA 5510 with the following interfaces
1) Ethernet 0 - 192.167.50.1/29 (Outside)
2) Ethernet 1 - 192.168.50.1/24 (Inside)
3) Ethernet 2 - 192.169.50.1/24 (DMZ)
I need assistance for configuring the ASA for my exchange edge server at the DMZ, i need the same public IP to be mapped to the Exchange on DMZ and the ISA server on the inside network. Between the DMZ and the Inside network i need to allow the following ports
- LDAP - Port 50389 (TCP)
- Secure LDAP - Port 50636 (TCP & UDP)
- SMTP - Port 25 (TCP)
- RDP - Port 3389 (TCP) (Optional)
Please check the configuration below and the attached diagram.
-------------------------------------------------
ASA Version 8.2(1)
!
hostname ASA
domain-name cisco.com
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.167.50.1 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.169.50.1 255.255.255.0
!
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 100 extended permit tcp any host 192.167.50.2 eq smtp
access-list 100 extended permit tcp any host 192.167.50.2 eq www
access-list 100 extended permit tcp any host 192.167.50.2 eq 3000
access-list 100 extended permit tcp any host 192.167.50.2 eq 366
access-list 100 extended permit tcp any host 192.167.50.2 eq imap4
access-list 100 extended permit tcp any host 192.167.50.2 eq domain
access-list 100 extended permit tcp any host 192.167.50.2 eq ldap
access-list 100 extended permit tcp any host 192.167.50.2 eq 3002
access-list 100 extended permit tcp any host 192.167.50.2 eq 1000
access-list 100 extended permit tcp any host 192.167.50.2 eq pop3
access-list 300 extended permit tcp host 192.169.50.4 any eq smtp
access-list 300 extended permit tcp host 192.169.50.4 any eq 50389
access-list 300 extended permit tcp host 192.169.50.4 any eq 50636
access-list 300 extended permit udp host 192.169.50.4 any eq 50636
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
global (outside) 10 192.167.50.3 netmask 255.255.255.248
nat (inside) 10 192.168.50.0 255.255.255.0
static (outside,inside) tcp 192.168.50.1 www 192.167.50.2 www netmask 255.255.255.255
static (outside,inside) tcp 192.168.50.1 https 192.167.50.2 https netmask 255.255.255.255
static (outside,DMZ) tcp 192.169.50.4 smtp 192.167.50.2 smtp netmask 255.255.255.255
access-group 100 in interface outside
access-group 300 in interface outside
route outside 0.0.0.0 0.0.0.0 192.167.50.4 1
11-10-2009 06:33 AM
You config looks good with some minor issues. First I see two ACLs applied on the outside interface.
Probably you wanted to do
access-group 300 in interface DMZ
You have
static (outside,inside) tcp 192.168.50.1 www 192.167.50.2 www netmask 255.255.255.255
static (outside,inside) tcp 192.168.50.1 https 192.167.50.2 https netmask 255.255.255.255
static (outside,DMZ) tcp 192.169.50.4 smtp 192.167.50.2 smtp netmask 255.255.255.255
I am guessing the 192.168.50.1 is the ISA on the inside, and 192.169.50.4 is the Exchange. The you would want to do
static (inside,outside) tcp 192.167.50.2 www 192.168.50.1 www netmask 255.255.255.255
static (inside,outside) tcp 192.167.50.2 https 192.168.50.1 https netmask 255.255.255.255
static (DMZ,outside) tcp 192.167.50.2 smtp 192.169.50.4 smtp netmask 255.255.255.255
I hope it helps.
PK
11-10-2009 06:39 AM
Hi,
that's seems to be strange
>access-group 100 in interface outside
>access-group 300 in interface outside
I would configure the following
access-list 100 extended permit tcp any host 192.167.50.2 eq smtp
access-list 100 extended permit tcp any host 192.167.50.2 eq www
access-list 100 extended permit tcp any host 192.167.50.2 eq 443
access-group 100 in interface outside
access-list 200 extended permit tcp host 192.169.50.4 any eq smtp
access-list 200 extended permit tcp host 192.169.50.4 any eq 50389
access-list 200 extended permit tcp host 192.169.50.4 any eq 50636
access-list 200 extended permit udp host 192.169.50.4 any eq 50636
access-list 200 extended permit tcp host 192.169.50.4 any eq 3389
access-list 200 extended deny ip host 192.169.50.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 200 extended permit ip any any
access-group 200 in interface dmz
access-list 300 extended permit tcp any host 192.169.50.4 eq smtp
access-list 300 extended permit tcp any host 192.169.50.4 eq 50389
access-list 300 extended permit tcp any host 192.169.50.4 eq 50636
access-list 300 extended permit udp any host 192.169.50.4 eq 50636
access-list 300 extended permit tcp any host 192.169.50.4 eq 3389
access-list 300 extended deny ip host 192.168.50.0 255.255.255.0 192.169.50.0 255.255.255.0
access-list 300 extended permit ip any any
access-group 300 in interface inside
Additional you have to configure a NoNat between dmz and inside! And if you are starting connections from DMZ to inside you may need
static (dmz,inside)192.168.50.2 192.168.50.2
Regards, Celio
11-12-2009 12:34 AM
Hi Celio
Thank you for your suggestions.
It would be of very help if you please provide the NAT configuration for both Inside to DMZ and DMZ to Inside.
Regards
Harish Babu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide