Solved: ASA 5550 configuration

itdsmartnet · ‎08-06-2008

hi,

i have installed ASA 5550 , my inside interface is connected to 2960 switch, users in the network have their default gateway pointing to ip address of ASA inside interface.

my question is that i have placed my proxy server, NMS and FTP server on DMZ zone. How the traffic will flow for internet access. All the users are pointing to their Default gateway. how ASA will forward traffic to proxy and then proxy forward to the internet.

Thanks

dhananjoy chowdhury · ‎08-07-2008

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.

View solution in original post

Jon Marshall · ‎08-07-2008

Presumably you have the proxy server configured in the web browser on the client PC's ?

If so assuming

client vlan = 192.168.5.0/24

ASA inside interface = 192.168.5.1

DMZ vlan = 192.168.10.0/24

Proxy server = 192.168.10.2

User requests web page, browser sees it needs to send packet to proxy so client PC sends packet to ASA inside interface. ASA then forwards packet onto the proxy server on DMZ.

Proxy server then sends request to web site requested by client PC.

Jon

itdsmartnet · ‎08-07-2008

hi,

For ASA to forward traffic to proxy, should we need some sort of static mapping or not.

OR

bydefault ASA forward traffic to proxy. And for proxy to communicate to internet what should i do.

Thanks

dhananjoy chowdhury · ‎08-07-2008

For all servers in DMZ to reach internet you can do this

nat(dmz) 5 0 0

global(Outside) 5 interface

Now check whether you are able to reach the proxy server from the inside LAN, if not then you need to configure NONAT for traffic from inside to DMZ.

itdsmartnet · ‎08-07-2008

hi,

Thanks for your response. i would like to ask you should i need some kind of ACL for traffic returning from internet to the proxy server. how should i configure NONAT for traffic from inside to DMZ. Please give my some details i.e if acls are applied or not

Thanks

dhananjoy chowdhury · ‎08-07-2008

HI,

ACL is not required for the return traffic from internet.

Now, for inside to DMZ, please check if you are ableto access the proxy server.

You shoud be able to access becuase by default, nat-control is disabled.

itdsmartnet · ‎08-07-2008

Thanks for your help.

Another thing which i want to know is that i have placed my mail server in DMZ too. what sort of configuration do i need on ASA so that mail server will communicate with internet as well as with the inside network.

Thanks

dhananjoy chowdhury · ‎08-07-2008

If suppose your Mail server in DMZ is 172.16.20.25 and the IP on the Outside interface is A.B.C.D, then configure NAT and ACL like this,

static (dmz,Outside) tcp A.B.C.D 25 172.16.20.25 25

access-list out-in permit tcp any host A.B.C.D eq 25

access-group out-in in interface Outside

itdsmartnet · ‎08-07-2008

hi,

how my inside users will communicate with mail server.

Thanks

dhananjoy chowdhury · ‎08-07-2008

With the dmz IP - 172.16.20.25.

itdsmartnet · ‎08-07-2008

Thanks for your reply.

ok, do i need to configure any ACL for inside users to communicate with web server in DMZ and web server to communicate with inside users.

Thanks

dhananjoy chowdhury · ‎08-07-2008

Hi Waseem,

If the web server in DMZ initiates a connection to the Inside, then ACL is required.

But if Inside users connect to the webserver in DMZ it wont need ACL, as traffic is flowing from High security zone to Low security zone.