Re: Problem Configuring DMZ on ASA firewall

karamalomari · ‎02-02-2011

I have a problem with accessing the internet from the DMZ Server:

This how the network setup look like:

DMZ Switch --> ASA Firewall --> Router --> Internet Lease Line with Public IP set (ISP)

Below is the configuration on the Firewall:

------------------------------------------------------

interface Ethernet0/2
description " DMZ Interface Connected to DMZ Switch "
nameif dmz
security-level 50
ip address 10.18.28.1 255.255.255.0
!

access-list fromout extended permit ip any host 94.x.x.x (public ip address)

access-list dmz_acl extended permit ip any host 10.18.28.10

!

global (outside) 1 94.x.x.x (public ip address)

nat (dmz) 1 10.18.28.0 255.255.255.0
static (dmz,outside) 94.x.x.x 10.18.28.10 netmask 255.255.255.255
access-group fromout in interface outside
access-group dmz_acl in interface dmz

!

Configuration on the Router:

-------------------------------------

interface GigabitEthernet0/2
description " Internet Lease Line "
ip address 83.x.x.x 255.255.255.252
ip policy route-map DMZ
duplex auto
speed auto
!

ip route 94.x.x.x 255.255.255.255 10.18.30.1

!

ip access-list extended DMZ_ACL
permit ip 94.x.x.x 0.0.0.15 any

!

route-map DMZ permit 20
match ip address DMZ_ACL
set ip next-hop 83.x.x.x

!

Any help will be highly appreciate it.

Jennifer Halim · ‎02-02-2011

Your dmz access-list does not allow the dmz subnet to access the internet.

You would need to add the following:

access-list dmz_acl extended permit ip 10.18.28.0 255.255.255.0 any

Hope that helps.

karamalomari · ‎02-02-2011

I have tried that but without any luck.

I forgot to mention in my earlier post that there is natting happing on the Router as below:

interface GigabitEthernet0/0
description " Connected To Firewall "
ip address 10.18.30.10 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

interface GigabitEthernet0/1
description " Connected To ADSL "
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/2
description " Internet Lease Line "
ip address 83.x.x.x 255.255.255.252
ip policy route-map DMZ
duplex auto
speed auto
!

ip nat inside source list Internet interface GigabitEthernet0/1 overload

!

ip access-list extended Internet
permit ip 10.18.10.0 0.0.0.255 any
permit ip 10.18.13.0 0.0.0.255 any
permit ip 10.18.22.0 0.0.0.255 any
!

Jennifer Halim · ‎02-02-2011

Well, you have also configured NAT on the ASA firewall.

Are you trying to configure NAT on the router or NAT on the ASA?

NAT on the ASA has been configured for DMZ subnet of 10.18.28.0/24 and getting PATed to 94.x.x.x

However, NAT on the router has not included the DMZ subnet.

Further to that, how is the DMZ subnet being routed from the router towards the ASA? do you have route statement to route the DMZ subnet towards the ASA outside interface?

How is your router actually connected to the ASA? Which interface on the ASA connects to which interface of the router. You would need to provide the complete picture to understand your topology.