ASA / DMZ configuration

srabin · ‎04-23-2013

Hi:

I have to allow traffic from my DMZ into my LAN

I have created the following access list and will apply to DMZ interface:

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.248
!
!
!
access-list dmz2in permit tcp host 10.0.0.3 host 192.168.200.38 eq 25
access-list dmz2in permit udp host 10.0.0.3 host 192.168.200.10 eq 53
access-list dmz2in permit udp host 10.0.0.3 host 192.168.200.10 eq 123
access-list dmz2in permit tcp host 10.0.0.3 host 192.168.200.10 eq 389

access-group dmz2in in interface dmz

Do I need to specify a 1-1 "static" map between DMZ and LAN or visa versa?

Static (dmz,inside) 192.168.23.0 255.255.255.0 192.168.23.0 255.255.255.0

What am i missing?

Thank you

Julio Carvajal · ‎04-23-2013

Hello Stan,

The access-list are great by the way

Now you might have to do it as you already have NAT in place ( PAT/NAT,etc) so if you have this or NAT-control enabled then you will need it

static (inside,dmz) 192.168.200.0 192.168.200.0

static (dmz,inside) 10.0.0.0 10.0.0.0

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

srabin · ‎04-23-2013

Thank you

This makes sense - this should do it

I have the following NAT statement currently inplace:

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0