cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
781
Views
10
Helpful
4
Replies

Access from Inside network to subnetwork (DMZ)

Bobby Mazzotti
Level 1
Level 1

Hello,

I have a request from a customer to allow a server on the inside network (192.168.1.203) to the "learning network" 10.10.10.0/24 over a specific set of ports. Here is the current ACL to allow from DMZ to Inside network

access-list learning_access_in extended permit icmp 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq www 
access-list learning_access_in remark Allow access to mmgi-apps
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7725 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7751 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7752 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7753 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7725 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7751 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7752 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7753 

 

 

However, the application is still unable to access desktops using the core application from Inside network to DMZ. I was under the assumption that lower security networks by default would allow higher ones to access the networks.

 

interface Ethernet0/1
 description ** Inside Network **
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.254.0 
!

!
interface Ethernet0/2.7
 vlan 25
 nameif learning
 security-level 25
 ip address 10.10.10.254 255.255.255.0 
!

 

 

access-list inside extended permit tcp host 192.168.0.25 any eq smtp 
access-list inside extended deny tcp any any eq smtp 
access-list inside remark To allow the website "Timothysmithnetwork.org"
access-list inside extended permit tcp any host xxx.xxx.xxx.xxx eq www 
access-list inside extended permit ip any any 

 

 

 

Thanks for any help.

1 Accepted Solution

Accepted Solutions