Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
efeohimor

Enabling traffic flow from ASA dmz to outside

Recommended Posts

I have an ASA configuration that allows traffic flows from inside to outside and from dmz to inside and vice-versa. But it looks strange that traffic would not go from dmz to outside or from outside to dmz.

 

I tried doing a search online and did not get sufficient info.I don't if anyone is this forum knows about ASA not allow dmz to outside traffic.I have configured static nat and allow all IP traffic from outside to dmz but all to no avail. Contribution from experienced members will be appreciated.

Share this post


Link to post
Share on other sites

:) - post here:

 

show run static

show run nat

show run global

show run access-group

show run access-list

 

and also the security level of each interface.

Edited by laf_c

Share this post


Link to post
Share on other sites

Thanks, I have been trying to see what is wrong and I have made some modifications.I discover telnet connection goes between dmz and outside and vice versa I did not try this yesterday. I discover I cannot ping between the dmz and outside.I did not try telnet yesterday I only did ping test and felt it was not connecting.Right now ping does not go through.

 

Show run static

static (inside,Outside) 10.50.1.50 10.50.4.2 netmask 255.255.255.255

static (dmz,Outside) 10.50.2.2 10.50.2.2 netmask 255.255.255.255

 

Show run nat

nat (inside) 0 access-list NAT_EXEMPT

nat (inside) 20 10.50.4.0 255.255.255.0

 

show run global

global (dmz) 20 10.50.10.3-10.50.10.50

 

show run access-group

access-group Outside_access_in in interface Outside

access-group dmz_access_inside in interface dmz

 

show run access-list

access-list Outside_access_in extended permit ip any any

access-list Outside_access_in extended permit icmp 10.50.1.0 255.255.255.0 10.50.2.0 255.255.255.0 echo

access-list Outside_access_in extended permit icmp 10.50.1.0 255.255.255.0 10.50.2.0 255.255.255.0

access-list Outside_access_in extended permit icmp 10.50.1.0 255.255.255.0 10.50.2.0 255.255.255.0 echo-reply

access-list Outside_access_in extended permit icmp 10.50.7.0 255.255.255.0 10.50.2.0 255.255.255.0

access-list Outside_access_in extended permit ip 10.50.1.0 255.255.255.0 10.50.2.0 255.255.255.0

access-list Outside_access_in extended permit icmp 10.50.1.0 255.255.255.0 10.50.4.0 255.255.255.0

access-list Outside_access_in extended permit tcp 10.50.1.0 255.255.255.0 10.50.4.0 255.255.255.0 eq ftp

access-list Outside_access_in extended permit tcp 10.50.1.0 255.255.255.0 eq ftp-data 10.50.4.0 255.255.255.0

access-list Outside_access_in extended permit udp 10.50.1.0 255.255.255.0 10.50.4.0 255.255.255.0 eq tftp

access-list Outside_access_in extended permit icmp 10.50.7.0 255.255.255.0 10.50.4.0 255.255.255.0

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 10.50.4.0 255.255.255.0 eq www

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 10.50.4.0 255.255.255.0 eq https

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 host 10.50.1.50 eq ftp

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 host 10.50.1.50 eq ftp-data

access-list Outside_access_in extended permit udp 10.50.7.0 255.255.255.0 host 10.50.1.50 eq tftp

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 host 10.50.1.50 eq www

access-list Outside_access_in extended permit tcp 10.50.7.0 255.255.255.0 host 10.50.1.50 eq https

access-list NAT_EXEMPT extended permit ip 10.50.4.0 255.255.255.0 10.50.1.0 255.255.255.0

access-list NAT_INSIDE_REMOTE extended permit tcp host 10.50.4.2 eq www 10.50.7.0 255.255.255.0

access-list dmz_access_inside extended permit icmp 10.50.2.0 255.255.255.0 10.50.10.0 255.255.255.0

Interface security levels

interface Ethernet0/0

nameif Outside

security-level 0

ip address 10.50.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.50.4.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.50.2.1 255.255.255.0

Share this post


Link to post
Share on other sites

Ok, now state your requirements each, one at a line, as this config is messed up. Also what IOS version are you running?

Share this post


Link to post
Share on other sites

I am using GNS3 and running ASA IOS version 8.0(2.

 

I want to be able to establish connectivity between inside and outside, dmz and inside ,outside and dmz in both direction in each way.My simulation diagram is attached.

 

Thanks

post-509-0-44752900-1296574231_thumb.png

Share this post


Link to post
Share on other sites

I see :); first of all I believe you need to read more about why ASA is needed in typical company.

 

Let's see what I can do:

Part 1:

- 1st pay attention to the security level of each interface; read about it.

- 2nd delete any nat or static statement.

- now you can access:

AAA from inside to dmz and

BBB from inside to outside and

CCC from dmz to outside/

Part 2:

- if you want access the other way you need to apply access-list on outside in and dmz in

AA: you need an access-list on outside in if you are to access from outside dmz or inside

BB: you need an access-list on dmz if you are to access from dmz to inside. You DO NOT need any access-list if you want to access from dmz the outside.

- stick only to these two access-list: outside-in and dmz-in. Play with them until you fully understand. For now forget about using access-list on outside or dmz on the OUT direction.

 

Part 3:

Figure out by yourself why do you need NAT. Then proceed with the classy scenario: PAT from inside to outside.

 

For all these use this page. It's all there.

Edited by laf_c
  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks Laf_c.I will read it up just trying to understand the setting up of the Cisco ASA. I know I placed some general rule before some specific ones and all others things that are they. I am still going to set up another lab and build from scratch.

 

Thanks for your responses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×