Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with DMZ ASA5510

Status
Not open for further replies.

MandyDroid

Programmer
Aug 25, 2009
350
US
What am I missing? I tried to figure this out all day yesterday. I am new to the ASA5510. I am replacing an existing firewall (Sonicwall) with an ASA5510. I need to create a DMZ for our email server that I can access from the inside network using RDP (3389). As I read around before trying this it seemed pretty straight forward. This is very sanitized and chopped out but I hope it shows enough that someone - anyone may be able to help me.

1. Create Ethernet ports with IPs and subnets on the ASA ports
a. Eth0/3 inside 192.x.x.0/24 sec/lev 100
b. Eth0/0 outside 1.2.3.0/29 sec/lev 0
c. Eth0/2 DMZ 172.x.x.0/24 sec/lev 50
2. Create Globals
a. global (outside) 1 interface
3. Create necessary NATs
a. nat (inside) 1 Main-Office-subnet 255.255.255.0
b. nat (DMZ) 1 DMZ-subnet 255.255.255.0
4. Create Static routes
a. static (inside,DMZ) Main-Office-subnet Main-Office-subnet netmask 255.255.255.0
b. static (DMZ,inside) DMZ-subnet DMZ-subnet netmask 255.255.255.0
5. Create access-list
a. access-list inside_access_in extended permit ip any object-group Private-Networks
b. access-list inside_access_in extended permit icmp any DMZ-subnet 255.255.255.0
c. access-list inside_access_in extended permit tcp any DMZ-subnet 255.255.255.0 object-group RDP
d. access-list DMZ_access_in extended permit icmp any any echo-reply
e. access-list DMZ_access_in extended permit ip any Main-Office-subnet 255.255.255.0
f. access-list DMZ_access_in extended permit object-group INT-EXT any any
6. Create access-group
a. access-group outside_access_in in interface outside
b. access-group inside_access_in in interface inside
c. access-group DMZ_access_in in interface DMZ
The result is that I am able to ping a DMZ host if I source it from the DMZ Ethernet. (ping DMZ 172.x.x.10)
If I ping from sourcing from the inside Ethernet the ping fails. (ping inside 172.x.x.10)
Also, of course, RDP is not able to make a connection. I am sure I am missing some complete junior mistake here, I am frustrated and begging for any help, advice, suggestions, encouragement. Thank you for reading my post =)


Avaya, Panasonic, Polycom, APC, MCP, A+, CCENT
##################################
"When I was a child, I spoke like a child, I thought like a child, I reasoned like a child.
When I became a man, I gave up childish ways.
 
OK I solved my own problem. It seems the error was not in my setup - but instead it was int he routing of the server OI was connecting to. The server si using the default gateway of my old Firewall - so the traffic was routing to it instead of the new firewall - so I added a static route to the servera nd BOOM - it worked =)

Avaya, Panasonic, Polycom, APC, MCP, A+, CCENT
##################################
"When I was a child, I spoke like a child, I thought like a child, I reasoned like a child.
When I became a man, I gave up childish ways.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top