cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
783
Views
10
Helpful
4
Replies

Access from Inside network to subnetwork (DMZ)

Bobby Mazzotti
Level 1
Level 1

Hello,

I have a request from a customer to allow a server on the inside network (192.168.1.203) to the "learning network" 10.10.10.0/24 over a specific set of ports. Here is the current ACL to allow from DMZ to Inside network

access-list learning_access_in extended permit icmp 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any 
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq www 
access-list learning_access_in remark Allow access to mmgi-apps
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7725 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7751 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7752 
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7753 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7725 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7751 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7752 
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7753 

 

 

However, the application is still unable to access desktops using the core application from Inside network to DMZ. I was under the assumption that lower security networks by default would allow higher ones to access the networks.

 

interface Ethernet0/1
 description ** Inside Network **
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.254.0 
!

!
interface Ethernet0/2.7
 vlan 25
 nameif learning
 security-level 25
 ip address 10.10.10.254 255.255.255.0 
!

 

 

access-list inside extended permit tcp host 192.168.0.25 any eq smtp 
access-list inside extended deny tcp any any eq smtp 
access-list inside remark To allow the website "Timothysmithnetwork.org"
access-list inside extended permit tcp any host xxx.xxx.xxx.xxx eq www 
access-list inside extended permit ip any any 

 

 

 

Thanks for any help.

1 Accepted Solution

Accepted Solutions

The security levels only take effect while there are no access-lists assigned to the interface.  Once you assign an ACL to an interface it is the ACL that counts and not the security level.

what version of ASA are you running?  If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

That is correct, until you put an ACL on it. The traffic will go from the inside to the learning network? or from the Learning network to the inside? or both? 

 

There might be some NAT issues as well, you can try to do a packet tracer to see where the problem is. 

 

packet-tracer input <input src interface ie inside> <tcp/udp> <src host> <dest host> <port> 

 

It should give you something if it is the firewall that is blocking it. 

Mike. 

Mike

I ran packet tracer for the destined port and received the following -

FW1# packet-tracer input inside tcp 192.168.1.213 7751 10.10.10.34 7751

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0      255.255.255.0   learning

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any learning any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1408, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: learning
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The security levels only take effect while there are no access-lists assigned to the interface.  Once you assign an ACL to an interface it is the ACL that counts and not the security level.

what version of ASA are you running?  If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ended up having to place a no nat rule -

access-list NO_NAT_LEARNING extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (learning) 0 access-list NO_NAT_LEARNING

Review Cisco Networking for a $25 gift card