03-12-2018 12:57 AM - edited 02-21-2020 07:30 AM
Hi All
i have ASA 5525 connected to DMZ server cisco2960 and core switch 4500 series(VSS configured on it) and i connected asa5525 with the core switch using port channel and i want the dmz network to access the internal core side network and vice versa so what should i do ?
Internal network 172.20.x.x
Dmz Network 192.168.x.x
Regards,
03-12-2018 01:16 AM
Create an acl statement on the firewall to permit inside ip address to reach the dmz and vice versa.
e.g
DMZ interface : access-group dmz_access_in in interface DMZ
Inside interface: access-group inside_access_in in interface Inside
access-list inside_access_in extended permit tcp 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0
access-list dmz_access_in extended permit tcp 192.168.*.* 2555.255.0.0 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0
core switch 4500
Create a route for the internal network to reach the dmz ip through the gateway btw the firewall and your core switch.
Though i think it is better you have specific servers on the inside network you want specific servers on the dmz to communicate with.
In this case, you can create an object group and grant permissions based on these object group.
03-12-2018 01:34 AM
03-12-2018 01:42 AM
Kindly share but do remember to remove sensitive information
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: