cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21075
Views
4
Helpful
8
Replies

ASA 5520 Config for DMZ to INSIDE Access

sdasgupta
Level 1
Level 1

Hi,

I'm a new user for ASA, anyway by reading cisco document I have done some basic configuration. At this moment my requirement as follows:-

1. Access to DMZ server( 191.20.20.0/24) ( ping & Other service like http etc ) from Inside User VLAN ( 172.16.34.0/24)

2. Access to Inside user VLAN ( 172.16.34.0/24) from DMZ Server ( 191.20.20.0/24)

I have done the config for requirement no. 1, but unsable to make the requirement number 2

Please help me by guding step by step config for accessing DMZ to inside user VLAN.

My Interface Details:-

# Inside (security 100 ) 10.10.10.1/30 on ASA Interface, and connecting Core switch port with configuring IP as 10.10.10.2/30

# DMZ ( security 80 ) 192.20.20.1/24 on ASA interface, and connecting a L2 ( 2960 Switch without any IP ) switch. All the DMZ Server on 192.20.20.0/24 segment by configuring gateway as 192.20.20.1

NB:- Outside Interace is not yet connected as ISP didn't provide the Internet link which will be coming soon, but at this moment I don't required the Public network as nobody will start accessing those DMZ server, which will be later requirement.

Regards

Sujit

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

For requirement number 2, you would need to have the following configured:

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

As well as access-list on the DMZ to allow access towards inside:

access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0

access-group dmz-acl in interface DMZ

Then a "clear xlate" after the above configuration.

Hope that helps.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

For requirement number 2, you would need to have the following configured:

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

As well as access-list on the DMZ to allow access towards inside:

access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0

access-group dmz-acl in interface DMZ

Then a "clear xlate" after the above configuration.

Hope that helps.

Hi Jennifer,

Please find the attahed config for your ready ref......I have done as per your advise, but still no progress.

Sujit

Hi Jennifer,

I'm waiting for your reply.

Sujit

Hi Sujit,

Please attach the output of the following command

packet-tracer input dmz icmp 192.20.20.2 8 0 172.16.34.2 detailed

Thanks,

Namit

Hi Jennifer,

what is the aim of below statment ?

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

regards

Hubert

when you go from a higher to lower security level in a firewall you will need natting with nat control enabled, this is a security feature

so if you do not want to nat traffic when it is going from inside to dmz you will use that command, what that command is doing is it is doing a one to one nat which means 172.16.34.0 from inside will apear as 172.16.34.0 on dmz

Thanks for explanation

regards

Hubert

Hi Jennifer,

Thanks a lot.....it is working perfectly fine as configured suggested by you.

Sujit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: