https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765603#M192377 <P>The security levels only take effect while there are no access-lists assigned to the interface.&nbsp; Once you assign an ACL to an interface it is the ACL that counts and not the security level.</P><P>what version of ASA are you running?&nbsp; If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command <STRONG>no nat-control</STRONG>.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Wed, 26 Aug 2015 20:09:49 GMT Marius Gunnerud 2015-08-26T20:09:49Z https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765600#M192365 <P>Hello,</P><P>I have a request from a customer to allow a server on the inside network (192.168.1.203) to the "learning network" 10.10.10.0/24 over a specific set of ports. Here is the current ACL to allow from DMZ to Inside network</P><P>access-list learning_access_in extended permit icmp 10.10.10.0 255.255.255.0 any&nbsp;<BR />access-list learning_access_in extended permit ip 10.10.10.0 255.255.255.0 any&nbsp;<BR />access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any&nbsp;<BR />access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq www&nbsp;<BR />access-list learning_access_in remark Allow access to mmgi-apps<BR />access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7725&nbsp;<BR />access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7751&nbsp;<BR />access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7752&nbsp;<BR />access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7753&nbsp;<BR />access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7725&nbsp;<BR />access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7751&nbsp;<BR />access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7752&nbsp;<BR />access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7753&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>However, the application is still unable to access desktops using the core application from Inside network to DMZ. I was under the assumption that lower security networks by default would allow higher ones to access the networks.</P><P>&nbsp;</P><P>interface Ethernet0/1<BR />&nbsp;description ** Inside Network **<BR />&nbsp;nameif inside<BR />&nbsp;security-level 100<BR />&nbsp;ip address 192.168.1.1 255.255.254.0&nbsp;<BR />!</P><P>!<BR />interface Ethernet0/2.7<BR />&nbsp;vlan 25<BR />&nbsp;nameif learning<BR />&nbsp;security-level 25<BR />&nbsp;ip address 10.10.10.254 255.255.255.0&nbsp;<BR />!</P><P>&nbsp;</P><P>&nbsp;</P><P>access-list inside extended permit tcp host 192.168.0.25 any eq smtp&nbsp;<BR />access-list inside extended deny tcp any any eq smtp&nbsp;<BR />access-list inside remark To allow the website "Timothysmithnetwork.org"<BR />access-list inside extended permit tcp any host xxx.xxx.xxx.xxx eq www&nbsp;<BR />access-list inside extended permit ip any any&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks for any help.</P> Tue, 26 Mar 2019 00:56:55 GMT https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765600#M192365 Bobby Mazzotti 2019-03-26T00:56:55Z https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765601#M192370 <P>That is correct, until you put an ACL on it. The traffic will go from the inside to the learning network? or from the Learning network to the inside? or both?&nbsp;</P><P>&nbsp;</P><P>There might be some NAT issues as well, you can try to do a packet tracer to see where the problem is.&nbsp;</P><P>&nbsp;</P><P>packet-tracer input &lt;input src interface ie inside&gt; &lt;tcp/udp&gt; &lt;src host&gt; &lt;dest host&gt; &lt;port&gt;&nbsp;</P><P>&nbsp;</P><P>It should give you something if it is the firewall that is blocking it.&nbsp;</P><P>Mike.&nbsp;</P> Wed, 26 Aug 2015 18:52:17 GMT https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765601#M192370 Maykol Rojas 2015-08-26T18:52:17Z https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765602#M192374 <P>I ran packet tracer for the destined port and received the following -</P><P>FW1# packet-tracer input inside tcp 192.168.1.213 7751 10.10.10.34 7751</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; 10.10.10.0 &nbsp; &nbsp; &nbsp;255.255.255.0 &nbsp; learning</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group inside in interface inside<BR />access-list inside extended permit ip any any<BR />Additional Information:</P><P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 5<BR />Type: NAT<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />&nbsp; match ip inside any learning any<BR />&nbsp; &nbsp; dynamic translation to pool 1 (No matching global)<BR />&nbsp; &nbsp; translate_hits = 1408, untranslate_hits = 0<BR />Additional Information:</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: learning<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 26 Aug 2015 19:06:59 GMT https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765602#M192374 Bobby Mazzotti 2015-08-26T19:06:59Z https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765603#M192377 <P>The security levels only take effect while there are no access-lists assigned to the interface.&nbsp; Once you assign an ACL to an interface it is the ACL that counts and not the security level.</P><P>what version of ASA are you running?&nbsp; If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command <STRONG>no nat-control</STRONG>.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Wed, 26 Aug 2015 20:09:49 GMT https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765603#M192377 Marius Gunnerud 2015-08-26T20:09:49Z https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765604#M192382 <P>Ended up having to place a no nat rule -</P><P>access-list NO_NAT_LEARNING extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0</P><P>nat (learning) 0 access-list NO_NAT_LEARNING</P> Wed, 26 Aug 2015 20:17:32 GMT https://community.cisco.com/t5/network-security/access-from-inside-network-to-subnetwork-dmz/m-p/2765604#M192382 Bobby Mazzotti 2015-08-26T20:17:32Z