10-07-2010 04:37 AM - edited 03-11-2019 11:51 AM
Hi,
I'm a new user for ASA, anyway by reading cisco document I have done some basic configuration. At this moment my requirement as follows:-
1. Access to DMZ server( 191.20.20.0/24) ( ping & Other service like http etc ) from Inside User VLAN ( 172.16.34.0/24)
2. Access to Inside user VLAN ( 172.16.34.0/24) from DMZ Server ( 191.20.20.0/24)
I have done the config for requirement no. 1, but unsable to make the requirement number 2
Please help me by guding step by step config for accessing DMZ to inside user VLAN.
My Interface Details:-
# Inside (security 100 ) 10.10.10.1/30 on ASA Interface, and connecting Core switch port with configuring IP as 10.10.10.2/30
# DMZ ( security 80 ) 192.20.20.1/24 on ASA interface, and connecting a L2 ( 2960 Switch without any IP ) switch. All the DMZ Server on 192.20.20.0/24 segment by configuring gateway as 192.20.20.1
NB:- Outside Interace is not yet connected as ISP didn't provide the Internet link which will be coming soon, but at this moment I don't required the Public network as nobody will start accessing those DMZ server, which will be later requirement.
Regards
Sujit
Solved! Go to Solution.
10-07-2010 04:40 AM
For requirement number 2, you would need to have the following configured:
static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
As well as access-list on the DMZ to allow access towards inside:
access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0
access-group dmz-acl in interface DMZ
Then a "clear xlate" after the above configuration.
Hope that helps.
10-07-2010 04:40 AM
For requirement number 2, you would need to have the following configured:
static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
As well as access-list on the DMZ to allow access towards inside:
access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0
access-group dmz-acl in interface DMZ
Then a "clear xlate" after the above configuration.
Hope that helps.
10-07-2010 05:33 AM
10-07-2010 05:54 AM
Hi Jennifer,
I'm waiting for your reply.
Sujit
10-07-2010 09:09 AM
Hi Sujit,
Please attach the output of the following command
packet-tracer input dmz icmp 192.20.20.2 8 0 172.16.34.2 detailed
Thanks,
Namit
10-07-2010 08:59 AM
Hi Jennifer,
what is the aim of below statment ?
static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
regards
Hubert
10-07-2010 09:45 AM
when you go from a higher to lower security level in a firewall you will need natting with nat control enabled, this is a security feature
so if you do not want to nat traffic when it is going from inside to dmz you will use that command, what that command is doing is it is doing a one to one nat which means 172.16.34.0 from inside will apear as 172.16.34.0 on dmz
10-07-2010 09:37 PM
Thanks for explanation
regards
Hubert
10-13-2010 08:30 AM
Hi Jennifer,
Thanks a lot.....it is working perfectly fine as configured suggested by you.
Sujit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide