Solved: Two ASA Back to back Configuration access Internet and dmz

Rowlands Price · ‎06-03-2017

Dear Support;

I have 2 Cisco ASA 5520 running 8.3 version

The two asa are connected back to back.

I want to allow internal netwrok behind asa 2 to access Internet Throught ASA 1.

I want to also allow somme remote sites directellly connected to ASA 2 to access Internal server in LAN and others servers in DMZ Internal 1 & 2

Internal Network must access all dmz and internet

Please how can i configure the Internal ASA

Need your Help

Francesco Molino · ‎06-03-2017

Hi

Your 1st asa facing internet will be the one handling the nat and exempt nat from your remote site or vpn accessing internal lan behind internal asa.

Your internal asa will be configured like a standard asa (acl, routing) except for nat. It won't have any nat configuration.

This means that all acls on your internal asa will see the traffic with its real source ip.

Maybe you're expecting specific answers. If yes, can you detail your question? What do you want to know when saying how to configure your internal asa?

Thanks.

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-04-2017

Hi

You'll need to configure it as standard asa even if it's not doing nat. That said it means lan will have security level of 100 and your wan facing inside of your 1st asa will have s security level of 0.

For the dmz, it depends the data behind it. Don't forget when you setting your security level that higher interface level can access the lowest one.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-03-2017

Hi

Your 1st asa facing internet will be the one handling the nat and exempt nat from your remote site or vpn accessing internal lan behind internal asa.

Your internal asa will be configured like a standard asa (acl, routing) except for nat. It won't have any nat configuration.

This means that all acls on your internal asa will see the traffic with its real source ip.

Maybe you're expecting specific answers. If yes, can you detail your question? What do you want to know when saying how to configure your internal asa?

Thanks.

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-04-2017

Dear Francesco

Thanks for you reply, your are right, i wan t my internal asa acting as router and acl only, no need nat here.

My question is, How to define me securiy-level on differents interfaces which are differents dmz?

I have 7 differents subnets connected on 7 interfaces.

What will be the security-level for the interface connected to Internal lan

what will be the security-level for the interface connected to Internet ASA.

Many Thanks

Francesco Molino · ‎06-04-2017

Hi

You'll need to configure it as standard asa even if it's not doing nat. That said it means lan will have security level of 100 and your wan facing inside of your 1st asa will have s security level of 0.

For the dmz, it depends the data behind it. Don't forget when you setting your security level that higher interface level can access the lowest one.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-04-2017

Hi Francesco,

Many thanks for your support, it's worked, from internal network i can reach internet.

The only issue is that From internal network behind Internal Firewall i cannot ping server located in DMZ 2 connected to Internet Firewall.

But when i created a policy any any ip from inside interface it's worked on Internet firewall.

Normally from inside (security-level 100) to lower security-level no need policy

I reach internet without this policy but cannot reach servers in DMZ 2

Regards

Francesco Molino · ‎06-04-2017

Hi

Not sure I get it right. Maybe you can share some configs to take a look.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-04-2017

Hi,

Please find attached the both asa config and the new diagram

Regards

Rowlands Price · ‎06-05-2017

Hi Francesco

Thanks for you support

i solved the issue, it was nat exempt

On Internet firewall, traffic from inside to dmz 1 and dmz4 must not be translated, so nat exempt is requiered.

i applied it and it worked fine Now

Francesco Molino · ‎06-05-2017

Hi

Sorry for my late answer.

Yes you need nat exempt for internal communication between your different zones.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question