New Cisco ASA 5515X

adesobaadesoba Posts: 3Registered Users ■□□□□□□□□□
Hello everyone,
I want to migrate a client network from ASA 8.2 to 9.1. Presently, the 8.2 box takes LAN users to the internet, and to a webserver in the DMZ. The DMZ server is assessed both from the LAN with a private IP address and from the internet using its public IP address.
After translating the current 8.2 config, LAN users can assess the internet, but cannot browse the webserver in the DMZ; but 'weirdly' can ping it. Kindly share a sample config, if you have conquered this before. Bear in mind that NAT is different in 9.1 compared to 8.2. Here is a part of the config.


interface GigabitEthernet0/0
nameif outsideif
security-level 0
ip address outside-if 255.255.255.248
!
interface GigabitEthernet0/1
nameif insideif
security-level 100
ip address inside-if 255.255.255.248
!
interface GigabitEthernet0/2
nameif dmzif
security-level 50
ip address dmz-if 255.255.255.0
!
object network DMZ-webserver
host 192.168.0.4
!
object network DMZ-webserver_public_IP
host 19X.2X.4.13
!
access-list outsideacl extended permit tcp any object DMZ-webserver eq www
access-list dmzacl extended permit ip any any
!
nat (dmzif,outsideif) source static DMZ-webserver DMZ-webserver_public_IP
object network inside-lan_outside
nat (insideif,outsideif) dynamic interface
route outsideif 0.0.0.0 0.0.0.0 outside-router 1
route insideif 10.0.0.0 255.0.0.0 inside-router 1




There are no other access-lists in the running config.
Many thanks in advance.

Comments

  • BobMeadBobMead Posts: 55Member ■■■□□□□□□□
    You need to use an object nat on the dmz object and make sure you have access groups in the config that are setup for each acl in use. Also try packet tracer under the tools section of ASDM to simulate the traffic flow and see where it breaks.
    Press RETURN to get started

    :roll:
Sign In or Register to comment.