No announcement yet.

need help to fix ASA 5510 with public IP dmz

  • Filter
  • Time
  • Show
Clear All
new posts

  • need help to fix ASA 5510 with public IP dmz

    I need your help to fix this problem what I am missing. Now inside client is able to access outside and dmz network

    The problem is outside client can not to access dmz even mail and web, as well dmz server can not to get pass to outside

    Here is the network diagram

    Outsid firewall inside
    114.x.x.113---114.x.x.114 [ASA5510] DHCP+NAT---LAN
    Public IP 114.x.x.121

    Mail web etc……
    114.x.x.122 114.x.x.123

    Here is running config

    Result of the command: "show running-config"

    : Saved
    ASA Version 7.0(7)
    hostname firewall
    enable password 4Y6sQVKRpKLCAOEc encrypted
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 114.x.x.114
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 114.x.x.121
    interface Management0/0
    nameif management
    security-level 100
    ip address
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone ICT 7
    object-group service mail tcp
    port-object eq pop3
    port-object eq pop2
    port-object eq imap4
    port-object eq smtp
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any interface dmz eq www
    access-list outside_access_in extended permit tcp any 114.x.x.120 eq ssh
    access-list dmz_access_in extended permit tcp any host 114.x.x.122 object-group mail
    access-list dmz_access_out extended permit tcp any any
    access-list inside_nat0_outbound extended permit ip 114.x.x.120
    access-list inside_nat0_outbound extended permit ip any
    access-list dmz_nat0_outbound extended permit ip 114.x.x.120 any

    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 10
    nat (dmz) 0 access-list dmz_nat0_outbound
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_out out interface dmz
    route outside 114.x.x.113 1
    dns-server value 202.x.x.205 202.x.x.201
    default-domain value
    http inside
    http management
    http management
    no snmp-server location
    no snmp-server contact

  • #2
    Re: need help to fix ASA 5510 with public IP dmz

    I've never done it that way before. I would normally have the DMZ on a private range and then create statics for the public to private IP/port.

    Not saying your way is wrong but I can't help with it so we may have to wait for an expert.

    Please read this before you post:

    Quis custodiet ipsos custodes?