11-05-2008 07:06 AM - edited 03-11-2019 07:08 AM
I am trying to fix a similar situation.
I need the "Masters" to review my configs so I can share the knowledge.
I can get to the Internet from the DMZ and the inside interfaces.
I'm trying to allow the inside interface to be able to access anything in the DMZ.
I would like to be able to browse the webpages.
Also I am trying to allow remote desktop into the DMZ...I want to keep the DMZ limited to the access rules and ports defines.
I've got several public IPs that go to go to the DMZ and Inside depending on the port and service.
I've attached a clean detailed config.
Solved! Go to Solution.
11-14-2008 11:48 AM
I found that more than one firewall existed on one of my testing PC's. I ruled this out.
I am still unable to pass traffic as desired.
The dmz should accept inside traffic by default. I think that the dmz isn't allowing traffic back to the inside. I even created a simple configure with the same results.
I made the security levels of the dmz and inside to the same level. I can now ping and pass traffic back and forth.
I suspect using outbound ACL's on the DMZ is a way to restrict the access.
I'd like to keep the levels different.
I'm rating previous posts and pose the question of why traffic won't pass?
11-14-2008 12:41 PM
My first thought is to cut back on your ACLs
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
I would take all of the ones that are outbound off, leaving only the inbound access lists.
When you did your statics, did you clear your xlate table? (clear xlate
--John
11-14-2008 01:06 PM
I have been using a combination of the ASDM and the ASDM CLI. It appears that I was missing an ACL even though the Access rule was created and should have created an ACE.
Access rule existed without any ACL.
I recommend using just one or the other to configure. The ASDM seems to miss creating things. The CLI appears to be the best way to avoid this.
access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0
Access rule existed without any ACL.
permit ip 192.168.0.0 255.255.255.0 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide