topic DMZ access from inside vlans in Network Security

DMZ access from inside vlans

kolawole1 — Mon, 11 Mar 2019 18:11:30 GMT

Dear All,

After searching through the forum i could not find a solution and is obliged to ask for help.

I have a cisco ASA 5510 connected to a cisco 3560 switch which has vlans (see configs).

I want to access the servers in the dmz from each of the vlans.Actually a ping to 172.100.0.200 from the switch succeeds.But when trying the ping from the pc in vlans it does not succeed.A ping sourcing from an SVI also do not succeed.Int Gi0/22 is connected to the inside interface of asa, i have tried static nat (with ip address and access-list) without success

Please help.

Re: DMZ access from inside vlans

Nagaraja Thanthry — Tue, 13 Jul 2010 22:35:03 GMT

Hello,

You do not have NAT rules for rest of the VLAN segments. Please try the following:

access-list nat0_outbound permit ip any 172.100.0.0 255.255.255.0

Hope this helps.

Regards,

Re: DMZ access from inside vlans

kolawole1 — Wed, 14 Jul 2010 17:20:26 GMT

Thanks a lot.I can now access the servers

in dmz by address only

.When accessing by name, it does not work.The server url name is mtp:8081/helpdesk.Is there any way to configure this on ASA ?Thanks.

Re: DMZ access from inside vlans

Nagaraja Thanthry — Wed, 14 Jul 2010 17:36:23 GMT

Hello,

What is the location of your WINS server? If it is on the inside of the firewall, then you need to configure a static NAT rule so that the hosts can communicate with the WINS server.

static (inside,dmz) netmask 255.255.255.255

Hope this helps.

Regards,

Re: DMZ access from inside vlans

kolawole1 — Wed, 14 Jul 2010 19:11:07 GMT

The WINS/DNS server is on the inside interface (in the server vlan behind the 192.168.104.0 network)
For AD replication to work with other partners, the servers in the server vlan are having the ip address of the ISA server
as their default gateway, not the server vlan svion the switch.

A ping from the ASA to the wins server does not succeed even though a route was created on the ISA server for network 192.168.104.0/24
and 172.100.0.0 that point to the server svi on the 3560 switch.

What should i do to be able to ping from the asa to the wins server ?

Thanks

Here is the setup

server vlan 172.31.0.0/24----------- switch int gi0/22------ ASA eth0/2---------- ASA DMZ interface

def gateway = ISA server IP address 172.31.0.16 switch ip 192.168.104.2 ip 192.168.104.1 172.100.0.1/24

Re: DMZ access from inside vlans

Nagaraja Thanthry — Wed, 14 Jul 2010 21:52:28 GMT

Hello,

I think the first step would be to make sure that your ISA server has a

route to rest of the network. Once it has the route, I think adding that

static statement I had mentioned earlier would do the trick. Please check

the ISA device (or you can do a tracert from the WINS server as well) and

see where the packets are getting dropped.

Regards,