Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 DMZ setup

Status
Not open for further replies.
cepacs

cepacs

Technical User
Joined
Jun 3, 2008
Messages
32
Location
US
We have an ASA 5510 running ASA version 8.2(1). I would like to add a DMZ to the device. I'm assuming I would go to Configuration/Device Setup/Interface and add Ethernet0/2 as the DMZ interface. Is this correct? Should the Security Level be 50?
 
Sort by date Sort by votes
You can make any interface the DMZ interface. The security level can be anything between 0 - 100 but most make it 50. Depending on your needs/configuration you might consider creating subinterfaces on the interface since you are setting it up.

Here is a link to read about it.


Stubnski
 
Upvote 0 Downvote
I have the interface setup and enabled, but can't ping the interface. I have an access rule for icmp... any/any. What am I missing?
 
Upvote 0 Downvote
I assume, by setup and enabled you also have it connected? Have you tried pinging from the ASA or from a workstation behind another interface?
 
Upvote 0 Downvote
I cannot ping from the inside interface to the dmz. I can ping from the dmz to itself (obviously), but not from any other interface.
 
Upvote 0 Downvote
you need to create a rule to allow this.

ACSS - SME
General Geek

CallUsOn.png


1832163.png
 
Upvote 0 Downvote
Hi,
I assume you are using the ASA GUI. Do a packet trace and see where the packets stop - Tools --> Packet Tracer.

Also check the real time log monitor if the packet tracer doesn't help - Monitoring --> Logging --> Change logging level to debug --> View.


Stubnski
 
Upvote 0 Downvote
Ok, realized that hairlessupportmonkey was right... I needed a rule to allow ICMP on the DMZ interface. After adding the rule, still couldn't ping the interface. I could, however, ping from the DMZ interface to the attached core switch.

I then tried the Packet Tracer that stubnski suggested. Since I needed to choose a port, I used ssh and added a rule to allow ssh on the DMZ interface. Once it gets to the DMZ, it seems to fail with "Flow is denied by configured rule." Obviously I have something wrong with the access list config... I'll look at it closer and see what I can find.
 
Upvote 0 Downvote
Can't figure it out! I've tried setting up my access rules and NAT rules to allow http traffic in to a server in the DMZ, but I can't get it to work.

I found out I can ping from within the DMZ vlan to the DMZ interface on the ASA. I can also ping from the DMZ interface to any device within the DMZ vlan. I don't know why I cannot access http from the outside. I have an access rule for it and a NAT rule.

Any ideas?
 
Upvote 0 Downvote
Without a copy of the configuration we can only guess at the issue.
 
Upvote 0 Downvote
Here's the interface config...

interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.10.90.2 255.255.254.0


Here's the access list config...

access-list DMZ_access_in extended permit tcp any host xx.xx.xxx.129 eq www

Here's the NAT config...

static (DMZ,outside) tcp xx.xx.xxx.129 255.255.255.255

Here's two other DMZ statements I found in the config...

access-group DMZ_access_in in interface DMZ
mtu DMZ 1500

Anything I'm missing to give me web access to 10.10.90.5?
 
Upvote 0 Downvote
your ACL needs to be applied inbound on your outside interface, not your DMZ interface.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Oh, okay... that makes sense! So wouldn't the NAT rules also need to be applied to the outside interface?
 
Upvote 0 Downvote
I think the NAT rules should be applied on the DMZ interface, but I still can't seem to get it to work. I do see hits on the access rule now, but can't get to the webpage page of the server. It works internally so I'm assuming it's the ASA.
 
Upvote 0 Downvote
Ok, called Cisco and the engineer says my current config is fine and it should be working. I'm beginning to wonder if the problem might be on our core switch? I'm wondering if packets are reaching the server, but instead of coming back to the DMZ, it is being sent to the inside interface?
 
Upvote 0 Downvote
post your entire sanitized config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
gkreg
  • Locked
  • Question Question
asa 5500-x url filtering
Replies
0
Views
699
gkreg
gkreg
phjames
  • Locked
  • Question Question
Replacement for ASA-5510
Replies
1
Views
391
ADB100
ADB100
AllenH12
  • Locked
  • Question Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
654
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top