Hi Ruggero,

Thank you very much for the reply. 

As there are total 5 servers and I only have one port in firewall so i am thinking to connect switch to the 4th port of the firewall and private ip range i.e 172.16.1.0/24 will be configured on the server. I have a small doubt, what is the configuration required for 4th port on firewall.

Regards

Mukesh Patel.

Interface GigabitEthernetx/x

 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0

no shut

!

The FW interface becomes the GW to your servers and you can assign static IPs to the Servers in the 172.16.1.0/24 range then you can install a L2 switch and create a shared L2 vlan between the FW DMZ interface and the Servers that needs to talk to the DMZ interface of the FW.

Then you can configure acls for DMZ and apply them to the DMZ interface.

access-group acl_dmz in interface dmz

Do not forget that to make the 172.16.1.0/24 servers reachable from outside, you need to create static NAT entries for each server. For example:

 static (dmz,outside) Server_Public_IP_1 172.16.1.2 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_2 172.16.1.3 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_3 172.16.1.4 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_4 172.16.1.5 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_5 172.16.1.6 netmask 255.255.255.255

Thank you very much Ruggero,

I am going to try this solution and will let you know.

Hi Rugero,

I have done the configuration as you said but still i am not able to access server from the internet.  Please see the attached config of my firewall.

Try changing it into this:

Hi Rugero,

I have tried above solution but still it did not work. We have cisco 3825 router before ASA. Please find attached config of it. I did not find anything which can block traffic from 3825 router. Please let me know if there is anything wrong with this router config.

Regards

Mukesh

Hi Mukesh,

The Firewall configuration is correct, however when you configure a static NAT between the DMZ host and a public IP, you need to make sure that the Internet is capable of routing to your Firewall defined static NAT IPs via the Internet Routers.

In your Router I am just seeing that you have a default route to the Internet and an internal route to 10.0.0.0.

Normally the Internet Router connects to the ISP Router with BGP and it advertise the Public IPs subnets to the Internet via the ISP Router.

Your ISP Router will publish your public subnets to the Internet via BGP and point the Internet users to your CPE Internet Router.

Your CPE Internet Router will then route your public IPs to the Firewall outside Interface so that they can match the DMZ static IP NAT rule that you defined.

Try to do a traceroute from the Internet to your public DMZ IPs and see where it stops and where it goes, that will tell you exactly where the issue is.

Hi Ruggero,

Thank you very much for helping me. since last coupleof days, I was trying to solve this issue. Now it is working and your solution has worked but with little change.

what I did is, I removed following ACL statement.

access-list outside_access_in extended permit tcp any host public_IP eq 8080

and I have added following ACL statement

access-list outside_access_in extended permit ip any host public_IP 

After adding above statement, i was able to ping public IP. 

Now the problem is we are going to run one application on our server which will use port 8080. We dont want to open all the ports. Do you have any idea what can be done to allow only traffic for port 8080? 

If I permit IP then it means all ports are open which will have security issues.

Regards

Mukesh

Hi Mukesh,

If you want to allow only port 8080 and ICMP ping, then you just have to restrict the ip any any using the tcp and the ports. For example, this one allows Ping, port 80, port 443 and port 8080: