Solved: Re: Configure Dmz on ASA5505 - Page 4

Thomas_Madsen · ‎12-21-2011

I've been doing a quick search without finding the correct answere to my problem, might be that i should done some more searching but here it goes.

I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.

On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.

The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5

webserver is natted with 72.72.72.6

sql inside ip is 192.168.1.2, gw 192.168.1.1

webserver ip is 192.168.2.100 gw 192.168.2.1

sec lvl on inside is 100 and on dmz 50

with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...

All i need is to open 1 port ie 6677 both ways for this communication to work.

I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...

any tips on what i need to do ???

on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... :-)

Happy for any pointers...

Julio Carvajal · ‎01-18-2012

Hello Thomas,

Glad I could help!!

You are going from a higher security level to a lower security level ( The ASA needs a nat rule to allow this connection).

As soon as you make it is going to look for a nat rule that helps in here, the problem is that you do not have any translatio rule for that interface (dmz) except for the static one to one SQL , so as soon as we add a translation rule everything works.

So each time you have nat control enabled you need a nat translation for a packet to succesfully traverse the ASA, in this case a Dynamic NAT will do it ( Higher to lower-unidirectional)

Let me know if this makes it clear.

Regards,

Julio

Please rate all posts that are helpful!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas_Madsen · ‎01-19-2012

i got the NAT bit i think, not sure why adding to the global pool solved it all at the end but :-)

Would this be the same setup for another solution...

Following Vlan

Outside
dmz
Company1
Company2

srv1-company1 in vlan company1 running ip 10.10.96.250
srv-email1 in vlan dmz running ip 10.20.0.2
srv-email2 in vlan dmz running ip 10.20.0.3
srv1-company2 in vlan company2 running ip 10.10.97.250

static (Company1,dmz) 10.10.96.250 10.10.96.250
static (Company2,dmz) 10.10.97.250 10.10.97.250

access-list dmz_to_in1 permit ip any any
access-group dmz_to_in1 in interface dmz

access-list dmz_to_in2 permit ip any any
access-group dmz_to_in2 in interface dmz

If i only need like srv-email1 and srv-email2 to deliver to the server in each of the company vlan's, would this solve it or should i anyway add the DMZ to the global pool with

global (dmz) 1 interface ??

would this fix so email will be delivered from srv-email1 and srv-email2 to srv1-company1 and srv1-company2

It would be nice if i can "browse" the subnet from company1 to company2 and from company1 to dmz

Julio Carvajal · ‎01-19-2012

Hello Thomas,

If you only need access from each server to the other one you only need the statics, if you need access from all the rest of the users you will need the global!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC