11-25-2013 05:12 PM - edited 03-11-2019 08:09 PM
hi everyone,
I just inherit an ASA from the previous System Admin and I need to configure it to allow a server sitting on DMZ to communicate with 2 (failover) servers on INSIDE zone on various UPD and TCP port.
DMZ host : 192.168.3.202
INSIDE host 1: 192.168.2.122
INSIDE host 2: 192.168.2.123
I couldn't get the DMZ host to talk to the INSIDE host at all. Can you help me look at my configuration? For testing, i even added the 3 lines that I high-light in Orange to see if the communication go through or not.
!---------------------------------------------------------------------------
! DMZ_Access_IN ACL
!---------------------------------------------------------------------------
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq 4500
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq 4500
access-list dmz_access_in extended permit ip host 192.168.3.202 host 192.168.2.122
access-list dmz_access_in extended permit ip any host 192.168.2.122
access-list dmz_access_in extended permit icmp any host 192.168.2.1
access-list dmz_access_in extended deny ip any 192.168.2.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
global (dmz) 1 interface
nat (dmz) 1 192.168.3.0 255.255.255.0
static (dmz,outside) x.x.x.x 192.168.3.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
Solved! Go to Solution.
11-25-2013 06:20 PM
Add these lines to your config -
static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255
static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255
Jon
11-25-2013 06:20 PM
Add these lines to your config -
static (inside,dmz) 192.168.2.122 192.168.2.122 netmask 255.255.255.255
static (inside,dmz) 192.168.2.123 192.168.2.123 netmask 255.255.255.255
Jon
11-26-2013 12:38 AM
Thanks Jon.
I will give this a try tomorrow's morning.
This same server also need an entire subnet of VDI desktops. How would my static for that part will look like?
static (inside,dmz) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
?
11-26-2013 01:10 AM
Hi Hleu,
kindly have a look at the below discussion might be helpful:
Regards,
Anim Saxena
Community Manager
(Rate helpful post)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: