Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
3
Replies

Problem Configuring DMZ on ASA firewall

karamalomari
Level 1
Level 1

‎02-02-2011 03:54 AM - edited ‎03-11-2019 12:43 PM

I have a problem with accessing the internet from the DMZ Server:

This how the network setup look like:

DMZ Switch --> ASA Firewall --> Router --> Internet Lease Line with Public IP set (ISP)

Below is the configuration on the Firewall:

------------------------------------------------------

interface Ethernet0/2
description " DMZ Interface Connected to DMZ Switch "
nameif dmz
security-level 50
ip address 10.18.28.1 255.255.255.0
!

access-list fromout extended permit ip any host 94.x.x.x (public ip address)

access-list dmz_acl extended permit ip any host 10.18.28.10

!

global (outside) 1 94.x.x.x  (public ip address)

nat (dmz) 1 10.18.28.0 255.255.255.0
static (dmz,outside) 94.x.x.x 10.18.28.10 netmask 255.255.255.255
access-group fromout in interface outside
access-group dmz_acl in interface dmz

!

Configuration on the Router:

-------------------------------------

interface GigabitEthernet0/2
description " Internet Lease Line "
ip address 83.x.x.x 255.255.255.252
ip policy route-map DMZ
duplex auto
speed auto
!

ip route 94.x.x.x 255.255.255.255 10.18.30.1

!

ip access-list extended DMZ_ACL
permit ip 94.x.x.x 0.0.0.15 any

!

route-map DMZ permit 20
match ip address DMZ_ACL
set ip next-hop 83.x.x.x

!

Any help will be highly appreciate it.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-02-2011 03:58 AM

Your dmz access-list does not allow the dmz subnet to access the internet.

You would need to add the following:

access-list dmz_acl extended permit ip 10.18.28.0 255.255.255.0 any

Hope that helps.

0 Helpful

karamalomari
Level 1
Level 1
In response to Jennifer Halim

‎02-02-2011 04:05 AM

I have tried that but without any luck.

I forgot to mention in my earlier post that there is natting happing on the Router as below:

interface GigabitEthernet0/0
description " Connected To Firewall "
ip address 10.18.30.10 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

interface GigabitEthernet0/1
description " Connected To ADSL "
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/2
description " Internet Lease Line "
ip address 83.x.x.x 255.255.255.252
ip policy route-map DMZ
duplex auto
speed auto
!

ip nat inside source list Internet interface GigabitEthernet0/1 overload

!

ip access-list extended Internet
permit ip 10.18.10.0 0.0.0.255 any
permit ip 10.18.13.0 0.0.0.255 any
permit ip 10.18.22.0 0.0.0.255 any
!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to karamalomari

‎02-02-2011 07:54 AM

Well, you have also configured NAT on the ASA firewall.

Are you trying to configure NAT on the router or NAT on the ASA?

NAT on the ASA has been configured for DMZ subnet of 10.18.28.0/24 and getting PATed to 94.x.x.x

However, NAT on the router has not included the DMZ subnet.

Further to that, how is the DMZ subnet being routed from the router towards the ASA? do you have route statement to route the DMZ subnet towards the ASA outside interface?

How is your router actually connected to the ASA? Which interface on the ASA connects to which interface of the router. You would need to provide the complete picture to understand your topology.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card