ASA 5505 DMZ config problem

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.

Please try the following:

no static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

I assume that the IP 213.139.xxx.xxx is the interface IP so it is safe to use the keyword interface on the static NAT that you have. If that doesn't work it could be due to the fact that you have a ASA 5505 with a base license and normally the DMZ is fully usable with a security plus license.

Try it out and let me know if that works. If that doesn't I can look for the link that talks about the license.

Hi

I'm sorry! I fix that allready..

configure for VLan3 is now
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
!

Web server is connect DMZ port and IP address is 192.168.50.10

-Codec-

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.

Do you need a VPN tunnel?

What happens now when you access your webserver inside the DMZ?

Hi

I'm sorry! I fix that allready..

configure for VLan3 is now
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
!

Web server is connect DMZ port and IP address is 192.168.50.10

-Codec-

His problem is this:

!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.10 255.255.255.0
!


He is defining interface vlan3 with an ip address 192.168.50.10 and his static is:

static (dmz,outside) tcp 213.139.xxx.xxx www 192.168.50.10 www netmask 255.255.255.255


Even with your modification:
static (dmz,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255

You are sending all WWW TCP traffic that hits the outside to the DMZ interface not the web server inside the DMZ zone. So it'll never hit the web server in the DMZ zone unless he changes the static mapping to point to the web server.

HI Allbody!

Problem is solved...

I call Cisco and they say it isn't be possible do without Security Plus License...

-Codec-

It is possible to do if your inside do not need to talk to your dmz. The base security license on the 5505 has two zones (inside and outside) and includes a restricted 3rd security zone. It is restricted as this third zone can only communicate with one other zone, i.e. the dmz will either just talk to the outside or the inside but not both at the same time.

HI Allbody!

Problem is solved...

I call Cisco and they say it isn't be possible do without Security Plus License...

-Codec-