ASA 5510 DMZ setup

[cepacs]

We have an ASA 5510 running ASA version 8.2(1). I would like to add a DMZ to the device. I'm assuming I would go to Configuration/Device Setup/Interface and add Ethernet0/2 as the DMZ interface. Is this correct? Should the Security Level be 50?

 

[stubnski]

You can make any interface the DMZ interface. The security level can be anything between 0 - 100 but most make it 50. Depending on your needs/configuration you might consider creating subinterfaces on the interface since you are setting it up.

Here is a link to read about it.


Stubnski

 

[cepacs]

I have the interface setup and enabled, but can't ping the interface. I have an access rule for icmp... any/any. What am I missing?

 

[brianinms]

I assume, by setup and enabled you also have it connected? Have you tried pinging from the ASA or from a workstation behind another interface?

 

[cepacs]

I cannot ping from the inside interface to the dmz. I can ping from the dmz to itself (obviously), but not from any other interface.

 

[hairlessupportmonkey]

you need to create a rule to allow this.

ACSS - SME
General Geek

 

[stubnski]

Hi,
I assume you are using the ASA GUI. Do a packet trace and see where the packets stop - Tools --> Packet Tracer.

Also check the real time log monitor if the packet tracer doesn't help - Monitoring --> Logging --> Change logging level to debug --> View.


Stubnski

 

[cepacs]

Ok, realized that hairlessupportmonkey was right... I needed a rule to allow ICMP on the DMZ interface. After adding the rule, still couldn't ping the interface. I could, however, ping from the DMZ interface to the attached core switch.

I then tried the Packet Tracer that stubnski suggested. Since I needed to choose a port, I used ssh and added a rule to allow ssh on the DMZ interface. Once it gets to the DMZ, it seems to fail with "Flow is denied by configured rule." Obviously I have something wrong with the access list config... I'll look at it closer and see what I can find.

 

[cepacs]

Can't figure it out! I've tried setting up my access rules and NAT rules to allow http traffic in to a server in the DMZ, but I can't get it to work.

I found out I can ping from within the DMZ vlan to the DMZ interface on the ASA. I can also ping from the DMZ interface to any device within the DMZ vlan. I don't know why I cannot access http from the outside. I have an access rule for it and a NAT rule.

Any ideas?

 

[brianinms]

Without a copy of the configuration we can only guess at the issue.

 

[cepacs]

Here's the interface config...

interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.10.90.2 255.255.254.0


Here's the access list config...

access-list DMZ_access_in extended permit tcp any host xx.xx.xxx.129 eq www

Here's the NAT config...

static (DMZ,outside) tcp xx.xx.xxx.129

http://www 10.10.90.5

http://www netmask

255.255.255.255

Here's two other DMZ statements I found in the config...

access-group DMZ_access_in in interface DMZ
mtu DMZ 1500

Anything I'm missing to give me web access to 10.10.90.5?

 

[unclerico]

your ACL needs to be applied inbound on your outside interface, not your DMZ interface.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[cepacs]

Oh, okay... that makes sense! So wouldn't the NAT rules also need to be applied to the outside interface?

 

[cepacs]

I think the NAT rules should be applied on the DMZ interface, but I still can't seem to get it to work. I do see hits on the access rule now, but can't get to the webpage page of the server. It works internally so I'm assuming it's the ASA.

 

[cepacs]

Ok, called Cisco and the engineer says my current config is fine and it should be working. I'm beginning to wonder if the problem might be on our core switch? I'm wondering if packets are reaching the server, but instead of coming back to the DMZ, it is being sent to the inside interface?

 

[unclerico]

post your entire sanitized config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)