topic Instead of NATing to the DMZ, in Network Security

Manage hosts on DMZ from Inside network

razorbakill — Tue, 12 Mar 2019 05:40:35 GMT

Hello,

I've setup a ASA5505 with basic license running version 8.2 using all 3 interfaces, outside, inside, and the dmz. All is working as it should with the inside and dmz interfaces being able to access the outside and get to the internet.

The issue i'm having is being able to ping or manage any devices from the inside network to any devices on the dmz. Being that the inside has a higher security level, I thought that it would communicate with the dmz at a lower security level.

I'm obviously missing something and more configuration is needed. I've tried several suggestions with nat and static nat but still not working.

I have uploaded my config. Any help on this issue would be greatly appreciated.

With the base license you can

Jon Marshall — Sat, 21 Mar 2015 13:12:32 GMT

With the base license you can't do this.

Notice this command under your DMZ interface -

no forward interface Vlan1

this is a restriction with the license you have. Your DMZ is only allowed to talk to one other interface and naturally you want that to be the outside interface.

You would need a license upgrade to be able to communicate between all interfaces.

Jon

I was under the impression

razorbakill — Sat, 21 Mar 2015 15:09:54 GMT

I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network. I'm trying to have the inside interface initiate the communication to the DMZ network, which would then reply to the inside network.

So for instance if I had a web server on the DMZ network, should it not be that any device on the inside network could initiate communication to the web server in the DMZ?

I was under the impression

Jon Marshall — Sat, 21 Mar 2015 15:17:59 GMT

I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network.

My apologies, I think I gave you incorrect information and your understanding is correct.

Can you add this to your configuration and try again -

"global (DMZ) 1 interface"

Jon

That did it! Thanks so much

razorbakill — Sat, 21 Mar 2015 16:19:42 GMT

That did it! Thanks so much for your for your help Jon. It is greatly appreciated.

Instead of NATing to the DMZ,

Karsten Iwen — Sun, 22 Mar 2015 01:02:02 GMT

Instead of NATing to the DMZ, you could also configure NAT-Exemption for the traffic from inside to DMZ:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

With that, your DMZ-systems see the real IPs of your inside hosts. That's what I prefer for internal communication.