ASA 5505 inside access to dmz

jjursch · ‎03-05-2009

I have an ASA 5505 setup with 3 vlans (outside 0, dmz 50, and inside 100). I can't figure out how to allow the clinets on the inside vlan access to the dmz. inside has access to internet, dmz has access to internet, and internet has access to dmz. My config is attached (I do have a site to site ipsec vpn that is working)

sdoremus33 · ‎03-05-2009

One thing I did see was this

access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0 log debugging

shouldnt 192.168.1.0 be 192.168.100.0

jjursch · ‎03-05-2009

192.168.1.0 is my remote site to site vpn. I think those statements were added for to support the vpn, but I really do not remember.

vikram_anumukonda · ‎03-05-2009

looks like you have an issue with your NAT configs.

what is this "static (dmz,inside) 192.168.99.46 71.x.x.46 netmask 255.255.255.255" used for ? is the x.x same as in

"static (dmz,outside) 71.x.x.46 192.168.99.46 netmask 255.255.255.255"

try configuring nat exemption from DMZ to INSIDE and see if it helps.

sushil · ‎03-05-2009

Try this,

Remove

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Use this as well,

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0