11-25-2013 05:12 PM - edited 03-11-2019 08:09 PM
hi everyone,
I just inherit an ASA from the previous System Admin and I need to configure it to allow a server sitting on DMZ to communicate with 2 (failover) servers on INSIDE zone on various UPD and TCP port.
DMZ host : 192.168.3.202
INSIDE host 1: 192.168.2.122
INSIDE host 2: 192.168.2.123
I couldn't get the DMZ host to talk to the INSIDE host at all. Can you help me look at my configuration? For testing, i even added the 3 lines that I high-light in Orange to see if the communication go through or not.
!---------------------------------------------------------------------------
! DMZ_Access_IN ACL
!---------------------------------------------------------------------------
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq 4500
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq 4500
access-list dmz_access_in extended permit ip host 192.168.3.202 host 192.168.2.122
access-list dmz_access_in extended permit ip any host 192.168.2.122
access-list dmz_access_in extended permit icmp any host 192.168.2.1
access-list dmz_access_in extended deny ip any 192.168.2.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
global (dmz) 1 interface
nat (dmz) 1 192.168.3.0 255.255.255.0
static (dmz,outside) x.x.x.x 192.168.3.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
Solved! Go to Solution.
11-25-2013 06:20 PM
Add these lines to your config -
static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255
static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255
Jon
11-25-2013 06:20 PM
Add these lines to your config -
static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255
static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255
Jon
11-26-2013 12:38 AM
Thanks Jon.
I will give this a try tomorrow's morning.
This same server also need an entire subnet of VDI desktops. How would my static for that part will look like?
static (inside,dmz) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
?
11-26-2013 01:10 AM
Hi Hleu,
kindly have a look at the below discussion might be helpful:
Regards,
Anim Saxena
Community Manager
(Rate helpful post)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide