topic Re: configuring DMZ host to access LAN in Network Security

configuring DMZ host to access LAN

henokk601 — Fri, 21 Feb 2020 15:30:12 GMT

Hi All

i have ASA 5525 connected to DMZ server cisco2960 and core switch 4500 series(VSS configured on it) and i connected asa5525 with the core switch using port channel and i want the dmz network to access the internal core side network and vice versa so what should i do ?

Internal network 172.20.x.x

Dmz Network 192.168.x.x

Regards,

Re: configuring DMZ host to access LAN

adedipeopeoluwa — Mon, 12 Mar 2018 08:16:25 GMT

Create an acl statement on the firewall to permit inside ip address to reach the dmz and vice versa.

e.g

DMZ interface : access-group dmz_access_in in interface DMZ

Inside interface: access-group inside_access_in in interface Inside

access-list inside_access_in extended permit tcp 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0

access-list dmz_access_in extended permit tcp 192.168.*.* 2555.255.0.0 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0

core switch 4500

Create a route for the internal network to reach the dmz ip through the gateway btw the firewall and your core switch.

Though i think it is better you have specific servers on the inside network you want specific servers on the dmz to communicate with.

In this case, you can create an object group and grant permissions based on these object group.

Re: configuring DMZ host to access LAN

henokk601 — Mon, 12 Mar 2018 08:34:44 GMT

can i share you the configuration i do the same however it won't work

Re: configuring DMZ host to access LAN

adedipeopeoluwa — Mon, 12 Mar 2018 08:42:55 GMT

Kindly share but do remember to remove sensitive information