cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
217
Views
0
Helpful
1
Replies

Access to inside from dmz

murraymwps
Level 1
Level 1

We have the wireless network on the dmz of the firewall. I need to allow the wifi users to be able to connect to the inside subnet.

dmz subnet: 192.168.3.0/24

inside subnet: 192.168.1.0/24

My packet tracer is failing

asa# packet-tracer input dmz tcp 192.168.3.10 25 192.168.1.9 25

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  match ip inside 192.168.1.0 255.255.255.0 dmz any
    static translation to 192.168.1.0
    translate_hits = 0, untranslate_hits = 15
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0

Phase: 2
Type: ACCESS-LIST
Subtype: no-forward-rule
Result: DROP
Config:
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Here is the pertinent config:

asa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname asa
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 description Wireless
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.201 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host 123.123.123.202 eq https
access-list inbound extended permit tcp 123.65.144.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list inbound extended permit tcp 123.81.64.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list 121 extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list 122 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 123 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list datto extended permit ip host 192.168.1.12 any
access-list datto extended permit tcp any any eq ssh
access-list gsm extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list gsm extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.1.0 255.255.255.0
access-list vpn standard permit 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list nat0out extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list oceanport extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list dmz_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnpool 192.168.2.1-192.168.2.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 121
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list nat0out
nat (dmz) 0 access-list 123
nat (dmz) 1 192.168.3.0 255.255.255.0
static (inside,outside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (dmz,inside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group inbound in interface outside
access-group dmz_outbound in interface dmz
route outside 0.0.0.0 0.0.0.0 123.123.123.206 1


threat-detection basic-threat
threat-detection statistics access-list

!
class-map inspection_default
 match default-inspection-traffic
class-map datto-rate-limite
 match access-list datto
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map datto-limit
 class datto-rate-limite
  police output 1500000 100000
!

 

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

The configuration explicitly tells the ASA not to allow it:

interface Vlan3
 no forward interface Vlan1

Flip that subcommand ("forward interface vlan 1") and it should work. Here's the command reference describing what it does in detail.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: