0

We have a ASA 5510 with four networks: inside, outside, dmz, WLAN. All addresses inside have nat to outside and dmz and WLAN. There exists one static policy from inside to outside for our imap-server.

This server is reachable from outside. OK. From WLAN we cannot reach this server. From dmz neither. This is our problem.

I tried to solve this by establishing a second static policy from inside to WLAN, this works, but there is a DNS-problem. This has to have another name, because the IP is a different one as that of the global outside. And I don't want to use split-horizon or other techniques.

Why isn't this possible?

I think I miss a directive or misunderstand something here.

Could you light me? I appreciate every answer.

gln
  • 41
  • 1
  • 4
  • what do your logs say is happening? what security levels do your interfaces have? do your wlan/dmz networks have nats to the outside? – paulos Oct 17 '11 at 11:05

2 Answers2

2

Regardless of whether or not you are NAT-ing an internal host to a less-secure interface, you still need to allow access from the less secure interface to the internal one.

Given the way PIXOS works, if you have no ACLs, by default all access from the more secure interface to the less secure interface is allowed. This does not apply to traffic from the less secure interface to any more secure interface, however.

Other than that, there is no issue (split-horizon or otherwise) with assinging the same NAT-ed IP on separate interfaces; the assumption being that traffic on these different interfaces will never be exposed to each other anyway (if not, you're bridging your firewall...)

In the DMZ example, you need an ACL to allow access from the DMZ to the NAT-ed IMAP server's IP:

#access-list DMZ_access_in extended permit tcp any host <NAT-ed IP of IMAP server> eq 143

NOTE that access lists always need to match the NATed address, as they are applied before NAT.

adaptr
  • 16,576
  • 23
  • 34
0

Paulos and Adaptr, thank you for your comments. I have solved this, but in an unusual way. But there were informations I didn't tell you. First: I removed a security-level from 30 to 0 for the dmz network. Second: I set a second explicit route to the outside router, although there exists a default route there! But I double checked: without this route there was no connection, but with it it worked. I am stunned a little bit but it works: S 0.0.0.0 0.0.0.0 via 10.10.10.1, outside AND S 10.10.20.1 255.255.255.255 via 10.10.10.1, outside. where 10.10.20.1 is the imap-server.

Thank you again for working this out.

gln
  • 41
  • 1
  • 4