Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
2
Replies

Cisco ASA 5525

henokk601
Level 1
Level 1

‎03-08-2018 02:20 AM - edited ‎02-21-2020 07:29 AM

Hi

i have cisco 5525 ASA which is connected to core switch and dmz switch and i want the core switch side network (i.e 172.20.x.x) to access the DMZ network (192.168.x.x) and i run the following command on the ASA 5525

access-list inside-to-DMZ extended permit ip any any

and applied to core switch side interface(i.e inside) and DMZ side interface (i.e DMZ)

access-group inside-to-DMZ in interface DMZ
access-group inside-to-DMZ in interface inside

however i can't access the dmz network from the core switch side network so, what am gonna suppose to do ?

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-08-2018 07:18 AM

Depending on the security level, you don't generally need an ACL between inside and DMZ. You definitely don't need one on both inside and DMZ interfaces because an ASA is a stateful firewall - traffic allowed though in one direction is entered into a state table and the return traffic is automatically allowed.

 

Does the core know to route traffic to the ASA? Is there any NAT in place?

 

If you can share your configuration it would help better answer your question.

0 Helpful

abdallah malas
Level 1
Level 1

‎03-08-2018 09:44 AM

Hello,
Did you check if their is a route between 172.20 Network and 192.168 Network?
Even if the connection is allowed by ACL, you still have to route the packets.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card