new to cisco asa 5505

Discussion in 'Cisco' started by random.it.questions@gmail.com, Oct 8, 2008.

  1. Guest

    Hi everyone. I'm working on a school project and as I'm extremely new
    to cisco devices I could use some help. I have the base license.
    I've created an inside, outside, and dmz VLAN. I can currently access
    a webpage I have hosted on one of the DMZ hosts externally. Now, the
    problem is that if I want to access it from an inside host I can only
    type in the external address, not the dmz host's address. If i switch
    around a single NAT rule I can access it by typing in the DMZ address,
    but not the external address. It is accessible the entire time from
    the outside.

    How would I make it so that I can access the dmz webpage from the
    inside using either address?

    any help and explanation would be appreciated as I don't really
    understand the CLI and have been using ASDM

    inside = 192.168.1.x
    dmz = 192.168.10.x
    ext = 65.xxx.xxx.xxx

    : Saved
    :
    ASA Version 7.2(3)
    !
    hostname ciscoasa
    domain-name project.local
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 3
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !

    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name project.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any interface
    outside eq www inactive
    access-list outside_access_in extended permit ip any any
    access-list dmz_access_in remark dmz-main:any to dmz-server:http
    access-list dmz_access_in extended permit ip any any
    access-list outside_nat_outbound extended permit tcp any interface
    outside eq www
    access-list inside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 1 interface
    global (outside) 1 interface
    global (dmz) 1 interface
    global (dmz) 2 192.168.10.2 netmask 255.255.255.255
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 1 access-list outside_nat_outbound outside
    nat (dmz) 1 0.0.0.0 0.0.0.0
    static (dmz,outside) tcp interface www 192.168.10.2 www netmask
    255.255.255.255
    static (dmz,outside) tcp 65.xx.xxx.xx ftp 192.168.10.2 ftp netmask
    255.255.255.255
    static (dmz,inside) 65.xx.xxx.xx 192.168.10.2 netmask
    255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group dmz_access_in in interface dmz
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable


    etc...
     
    , Oct 8, 2008
    #1
    1. Advertising

  2. Doan Guest

    I am afraid you will need to Sec. Plus license for that. From cisco.com:

    "With the Base platform, communication between the DMZ VLAN and the Inside
    VLAN is restricted: the Inside VLAN is permitted to send traffic to the
    DMZ VLAN, but the DMZ VLAN is not permitted to send traffic to the Inside
    VLAN.

    The Security Plus license removes this limitation, thus enabling a full
    DMZ configuration."

    Doan

    On Wed, 8 Oct 2008 wrote:

    > Hi everyone. I'm working on a school project and as I'm extremely new
    > to cisco devices I could use some help. I have the base license.
    > I've created an inside, outside, and dmz VLAN. I can currently access
    > a webpage I have hosted on one of the DMZ hosts externally. Now, the
    > problem is that if I want to access it from an inside host I can only
    > type in the external address, not the dmz host's address. If i switch
    > around a single NAT rule I can access it by typing in the DMZ address,
    > but not the external address. It is accessible the entire time from
    > the outside.
    >
    > How would I make it so that I can access the dmz webpage from the
    > inside using either address?
    >
    > any help and explanation would be appreciated as I don't really
    > understand the CLI and have been using ASDM
    >
    > inside = 192.168.1.x
    > dmz = 192.168.10.x
    > ext = 65.xxx.xxx.xxx
    >
    > : Saved
    > :
    > ASA Version 7.2(3)
    > !
    > hostname ciscoasa
    > domain-name project.local
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address dhcp setroute
    > !
    > interface Vlan3
    > no forward interface Vlan1
    > nameif dmz
    > security-level 100
    > ip address 192.168.10.1 255.255.255.0
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > switchport access vlan 3
    > !
    > interface Ethernet0/2
    > !
    > interface Ethernet0/3
    > !
    > interface Ethernet0/4
    > !
    > interface Ethernet0/5
    > !
    > interface Ethernet0/6
    > !
    > interface Ethernet0/7
    > !
    >
    > ftp mode passive
    > clock timezone CST -6
    > clock summer-time CDT recurring
    > dns server-group DefaultDNS
    > domain-name project.local
    > same-security-traffic permit inter-interface
    > same-security-traffic permit intra-interface
    > access-list outside_access_in extended permit tcp any interface
    > outside eq www inactive
    > access-list outside_access_in extended permit ip any any
    > access-list dmz_access_in remark dmz-main:any to dmz-server:http
    > access-list dmz_access_in extended permit ip any any
    > access-list outside_nat_outbound extended permit tcp any interface
    > outside eq www
    > access-list inside_access_in extended permit ip any any
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu inside 1500
    > mtu outside 1500
    > mtu dmz 1500
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-523.bin
    > no asdm history enable
    > arp timeout 14400
    > nat-control
    > global (inside) 1 interface
    > global (outside) 1 interface
    > global (dmz) 1 interface
    > global (dmz) 2 192.168.10.2 netmask 255.255.255.255
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > nat (outside) 1 access-list outside_nat_outbound outside
    > nat (dmz) 1 0.0.0.0 0.0.0.0
    > static (dmz,outside) tcp interface www 192.168.10.2 www netmask
    > 255.255.255.255
    > static (dmz,outside) tcp 65.xx.xxx.xx ftp 192.168.10.2 ftp netmask
    > 255.255.255.255
    > static (dmz,inside) 65.xx.xxx.xx 192.168.10.2 netmask
    > 255.255.255.255
    > access-group inside_access_in in interface inside
    > access-group outside_access_in in interface outside
    > access-group dmz_access_in in interface dmz
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    > disconnect 0:02:00
    > timeout uauth 0:05:00 absolute
    > http server enable
    >
    >
    > etc...
    >
     
    Doan, Oct 9, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    16,365
    Walter Roberson
    Feb 2, 2007
  2. Replies:
    1
    Views:
    3,458
  3. Replies:
    0
    Views:
    492
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    732
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,143
    Morph
    Jun 8, 2010
Loading...

Share This Page