topic Re: I need to DMZ access to internet and see the inside on ASA 5 in Network Security

I need to DMZ access to internet and see the inside on ASA 5520

josue jonathan rivero herrera — Mon, 11 Mar 2019 23:58:34 GMT

Hi everyone.

I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.

ths show run is attached.

I try with the next links, but dont work.

https://supportforums.cisco.com/thread/2018253

https://supportforums.cisco.com/thread/2045888

thk for help me !!!

Re: I need to DMZ access to internet and see the inside on ASA 5

Marvin Rhoads — Tue, 25 Sep 2012 01:46:39 GMT

Since the DMZ is lower security level than inside, you must create and apply and access-list to allow DMZ-originated traffic to access inside addresses.

Something like:

access-list DMZ_IN extended permit

access-group DMZ_IN in interface DMZ

Inside to DMZ will automatically work (unless you start ACLing in in which case an implicit deny will be added at the end).

If you're new to the ASA, I recommend you use ASDM to create your changes. Set it to preview commands and look at what it generates to understand the CLI.

Re: I need to DMZ access to internet and see the inside on ASA 5

josue jonathan rivero herrera — Tue, 25 Sep 2012 20:27:29 GMT

hi Marvin.

I try with ASDM but I do not like, I think that is better with CLI.

I try with you tell me later, i think that this help me.

access-list DMZ_IN permit 10.1.1.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list DMZ_IN permit 10.1.1.0 255.255.255.0 172.16.6.0 255.255.255.0

access-group DMZ_IN permit in interface DMZ

static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

you tihink that this help me?

BR and THK!!!

Re: I need to DMZ access to internet and see the inside on ASA 5

Marvin Rhoads — Tue, 25 Sep 2012 20:50:12 GMT

Yes, what you have proposed looks good.

Re: I need to DMZ access to internet and see the inside on ASA 5

josue jonathan rivero herrera — Tue, 25 Sep 2012 21:04:16 GMT

ok, let me try out production and update you.

🙂

Re: I need to DMZ access to internet and see the inside on ASA 5

josue jonathan rivero herrera — Wed, 17 Oct 2012 16:29:28 GMT

Hi Marvin,

Apologies for the delay but too much work here, I try with the next command.

access-list DMZ_IN extended permit tcp 10.1.1.0 255.255.255.0 172.16.12.0 255.255.255.0

access-list DMZ_IN extended permit udp 10.1.1.0 255.255.255.0 172.16.12.0 255.255.255.0

access-list DMZ_IN extended permit tcp 10.1.1.0 255.255.255.0 172.16.6.0 255.255.255.0

access-list DMZ_IN extended permit udp 10.1.1.0 255.255.255.0 172.16.6.0 255.255.255.0

access-group DMZ_IN in interface DMZ

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

and when I configure the PC with DGW (interface DMZ`s firewall) I don't reach the LAN but Internet is reachable, i need to reach both (LAN-172.16.12.0, 172.16.6.0 and Internet).

do you have someone idea for help me?

thk so much!!!

Re: I need to DMZ access to internet and see the inside on ASA 5

Marvin Rhoads — Thu, 18 Oct 2012 14:05:32 GMT

Try using packet-tracer on the ASA to follow the logic through the box and determine why your DMZ-Inside traffic isn't working.

packet-tracer input dmz detailed

The output should tell you why the packets aren't flowing.