We have an ASA 5510 running ASA version 8.2(1). I would like to add a DMZ to the device. I'm assuming I would go to Configuration/Device Setup/Interface and add Ethernet0/2 as the DMZ interface. Is this correct? Should the Security Level be 50?
You can make any interface the DMZ interface. The security level can be anything between 0 - 100 but most make it 50. Depending on your needs/configuration you might consider creating subinterfaces on the interface since you are setting it up.
Ok, realized that hairlessupportmonkey was right... I needed a rule to allow ICMP on the DMZ interface. After adding the rule, still couldn't ping the interface. I could, however, ping from the DMZ interface to the attached core switch.
I then tried the Packet Tracer that stubnski suggested. Since I needed to choose a port, I used ssh and added a rule to allow ssh on the DMZ interface. Once it gets to the DMZ, it seems to fail with "Flow is denied by configured rule." Obviously I have something wrong with the access list config... I'll look at it closer and see what I can find.
Can't figure it out! I've tried setting up my access rules and NAT rules to allow http traffic in to a server in the DMZ, but I can't get it to work.
I found out I can ping from within the DMZ vlan to the DMZ interface on the ASA. I can also ping from the DMZ interface to any device within the DMZ vlan. I don't know why I cannot access http from the outside. I have an access rule for it and a NAT rule.
I think the NAT rules should be applied on the DMZ interface, but I still can't seem to get it to work. I do see hits on the access rule now, but can't get to the webpage page of the server. It works internally so I'm assuming it's the ASA.
Ok, called Cisco and the engineer says my current config is fine and it should be working. I'm beginning to wonder if the problem might be on our core switch? I'm wondering if packets are reaching the server, but instead of coming back to the DMZ, it is being sent to the inside interface?
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.