Hi all.

I have a old server that has custom apps developed by a bankrupt company that we can't replace yet. We are being tasked with upgrading the Operating System and security patches, while preserving the existing live server. I was able to accomplish this by virtualizing it, then cloning the virtual machine. Where I got stuck was, the custom app requires a specific host name. So, I got the idea to have the two servers live on different sides of the firewall until the test platform is accepted and the old live one can be retired.

My problem is that I have no experience with configuring a real firewall like this asa5510.

Servers are:

CM1 live server

CM2 test platform

ADS Active Directory and File and Print

My thought is to setup:

*LAN-WAN (NAT) - Allow

*LAN-DMZ ( NO NAT) - Allow only http to CM2 (accessing by IP rather than host due to duplicate names)

DMZ-LAN (No NAT) - Allow CM2 to use ADS printing services

DMZ-WAN (No NAT) - Block

*WAN-LAN (NAT) - Allow ICA to CM1

WAN-DMZ (NAT) - Allow https to CM2

~~~

* is already set up.

Does this make sense? I've started to carefully poke around in the Cisco ASDM-IDM, but haven't figured out how to access the DMZ from the outside (so far just testing with http as I don't have my certificate to setup https just yet). Am I missing something to get through to the DMZ from the WAN side?

Sorry for being such a noob, and thanks for any advice!