cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2662
Views
9
Helpful
3
Replies

ASA 5505 - DMZ access INSIDE

HIeu Phan
Level 1
Level 1

hi everyone,

I just inherit an ASA from the previous System Admin and I need to configure it to allow a server sitting on DMZ to communicate with 2 (failover) servers on INSIDE zone on various UPD and TCP port.

DMZ host : 192.168.3.202

INSIDE host 1:  192.168.2.122

INSIDE host 2: 192.168.2.123

I couldn't get the DMZ host to talk to the INSIDE host at all. Can you help me look at my configuration? For testing, i even added the 3 lines that I high-light in Orange to see if the communication go through or not.

!---------------------------------------------------------------------------

! DMZ_Access_IN ACL

!---------------------------------------------------------------------------

access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 8009

access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 4001

access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq isakmp

access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq 4500

access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 8009

access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 4001

access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq isakmp

access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq 4500

access-list dmz_access_in extended permit ip host 192.168.3.202 host 192.168.2.122

access-list dmz_access_in extended permit ip any host 192.168.2.122

access-list dmz_access_in extended permit icmp any host 192.168.2.1

access-list dmz_access_in extended deny ip any 192.168.2.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

global (dmz) 1 interface

nat (dmz) 1 192.168.3.0 255.255.255.0

static (dmz,outside) x.x.x.x 192.168.3.202 netmask 255.255.255.255

access-group dmz_access_in in interface dmz

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Add these lines to your config -

static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255

static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Add these lines to your config -

static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255

static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255

Jon

Thanks Jon.

I will give this a try tomorrow's morning.

This same server also need an entire subnet of VDI desktops. How would my static for that part will look like?

static (inside,dmz) 192.168.26.0 192.168.26.0 netmask 255.255.255.0  

?    

Anim Saxena
Level 1
Level 1

Hi Hleu,

kindly have a look at the below discussion might be helpful:

ASA 5510 DMZ

ASA 5505config with DMZ

Regards,

Anim Saxena

Community Manager

(Rate helpful post)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: