Announcement

Collapse
No announcement yet.

need help to fix ASA 5510 with public IP dmz

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • need help to fix ASA 5510 with public IP dmz

    I need your help to fix this problem what I am missing. Now inside client is able to access outside and dmz network

    The problem is outside client can not to access dmz even mail and web, as well dmz server can not to get pass to outside

    Here is the network diagram

    Outsid firewall inside
    114.x.x.113---114.x.x.114 [ASA5510] 192.168.2.1---x.x.x.2 DHCP+NAT---LAN
    |
    Dmz
    Public IP 114.x.x.121

    Mail web etc……
    114.x.x.122 114.x.x.123


    Here is running config

    Result of the command: "show running-config"

    : Saved
    :
    ASA Version 7.0(7)
    !
    hostname firewall
    domain-name host.domain.com
    enable password 4Y6sQVKRpKLCAOEc encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 114.x.x.114 255.255.255.252
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 114.x.x.121 255.255.255.248
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone ICT 7
    object-group service mail tcp
    port-object eq pop3
    port-object eq pop2
    port-object eq imap4
    port-object eq smtp
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any interface dmz eq www
    access-list outside_access_in extended permit tcp any 114.x.x.120 255.255.255.248 eq ssh
    access-list dmz_access_in extended permit tcp any host 114.x.x.122 object-group mail
    access-list dmz_access_out extended permit tcp any any
    access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 114.x.x.120 255.255.255.248
    access-list inside_nat0_outbound extended permit ip any 192.168.0.248 255.255.255.248
    access-list dmz_nat0_outbound extended permit ip 114.x.x.120 255.255.255.248 any



    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 10 0.0.0.0 0.0.0.0
    nat (dmz) 0 access-list dmz_nat0_outbound
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_out out interface dmz
    route outside 0.0.0.0 0.0.0.0 114.x.x.113 1
    dns-server value 202.x.x.205 202.x.x.201
    default-domain value
    webvpn
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact

  • #2
    Re: need help to fix ASA 5510 with public IP dmz

    I've never done it that way before. I would normally have the DMZ on a private range and then create statics for the public to private IP/port.

    Not saying your way is wrong but I can't help with it so we may have to wait for an expert.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment

    Working...
    X