Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: ASA 5505 DMZ config problem

Re: ASA 5505 DMZ config problem 11 years 1 month ago #25808

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.


Please try the following:

no static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

I assume that the IP 213.139.xxx.xxx is the interface IP so it is safe to use the keyword interface on the static NAT that you have. If that doesn't work it could be due to the fact that you have a ASA 5505 with a base license and normally the DMZ is fully usable with a security plus license.

Try it out and let me know if that works. If that doesn't I can look for the link that talks about the license.

Re: ASA 5505 DMZ config problem 11 years 1 month ago #25812

  • Codec
  • Codec's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thank you received: 0
Hi

I'm sorry! I fix that allready..

configure for VLan3 is now
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
!

Web server is connect DMZ port and IP address is 192.168.50.10

-Codec-

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.

Re: ASA 5505 DMZ config problem 11 years 1 month ago #25825

Do you need a VPN tunnel?

What happens now when you access your webserver inside the DMZ?

Hi

I'm sorry! I fix that allready..

configure for VLan3 is now
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
!

Web server is connect DMZ port and IP address is 192.168.50.10

-Codec-

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.

Re: ASA 5505 DMZ config problem 11 years 1 month ago #25864

  • Codec
  • Codec's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thank you received: 0
HI Allbody!

Problem is solved...

I call Cisco and they say it isn't be possible do without Security Plus License...

-Codec-

Re: ASA 5505 DMZ config problem 11 years 1 month ago #25869

It is possible to do if your inside do not need to talk to your dmz. The base security license on the 5505 has two zones (inside and outside) and includes a restricted 3rd security zone. It is restricted as this third zone can only communicate with one other zone, i.e. the dmz will either just talk to the outside or the inside but not both at the same time.

HI Allbody!

Problem is solved...

I call Cisco and they say it isn't be possible do without Security Plus License...

-Codec-

  • Page:
  • 1
  • 2
Time to create page: 0.118 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup