Solved: ASA 5510 allow traffic from DMZ to LAN

ngthen · ‎09-18-2011

My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.

Julio Carvajal · ‎09-18-2011

Hello ngthen,

So you need to access the Inside Lan from your DMZ network using the Real ip address of the Inside network.

You will need to nat the Inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level, this if the Lan has a more secure level.

Lan 10.10.6.0------------ASA---------------- 192.168.254.0 DMZ

static( inside,dmz) 10.10.6.0 10.10.6.0 netmask 255.255.255.0

Access-list DMZ permit ip 192.168.254.0 255.255.255.0 10.10.6.0 255.255.255.0

Access-group DMZ in interface DMZ

With this you should be able to get from the DMZ to the inside Lan, you can make the ACL more restricted if need it.

I hope this help you, if you have any other question just let me know if not please mark this question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-18-2011

Hello ngthen,

So you need to access the Inside Lan from your DMZ network using the Real ip address of the Inside network.

You will need to nat the Inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level, this if the Lan has a more secure level.

Lan 10.10.6.0------------ASA---------------- 192.168.254.0 DMZ

static( inside,dmz) 10.10.6.0 10.10.6.0 netmask 255.255.255.0

Access-list DMZ permit ip 192.168.254.0 255.255.255.0 10.10.6.0 255.255.255.0

Access-group DMZ in interface DMZ

With this you should be able to get from the DMZ to the inside Lan, you can make the ACL more restricted if need it.

I hope this help you, if you have any other question just let me know if not please mark this question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

AG · ‎01-23-2014

Hello,

How can this be made on ASA 8.6 version? I don't understand this tipe of NAT configuration.

Translation from 10.10.6.0 -> 10.10.6.0 ?? This is the same network. Is this some kind of trick?

Jouni Forss · ‎01-23-2014

Hi,

This is a Static Identity NAT that translates the IP address to itself. This purpose is mainly to avoid running into a situation where the connections actually match the Dynamic PAT rule when going between LAN and DMZ which results in ASA dropping the traffic because it doesnt find a matching "global" statement for the "nat" command between these interfaces.

This is no longer an issue on the new software version of 8.3 and newer so you simply should NOT configure it.

The traffic will pass through without translation with its original local IP address. Naturally ACL rules are still needed to allow the traffic depending on your setup.

- Jouni