Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
2
Replies

Cisco ASA Inside to DMZ Communication

ahmad82pkn
Level 2
Level 2

‎02-29-2016 10:00 AM - edited ‎03-12-2019 12:25 AM

I have read at several places that after 8.3 you dont need NAT to communicate from Inside to DMZ ( High security Zone to Low Security Zone )

and Only Need ACL Permitting this communication.

But for me it doesnt seems to be working.

any help?

192.168.92.10 switch i am trying to access from inside, and it has gateway 192.168.92.1 (Dmz interface of ASA)

access-list INSIDE-TO-DMZ extended permit tcp any host 192.168.92.10 eq ssh

access-group INSIDE-TO-DMZ out interface DMZ

access-list DMZ-TO-INSIDE Deny IP any any

access-group DMZ-TO-INSIDE in interface DMZ

below is show connection output.

TCP DMZ: 192.168.92.10/22 (192.168.92.10/22) LAN: 10.95.36.26/55070 (10.95.36.26/55070), flags saA , idle 1s, uptime 4s, timeout 30s, bytes 0

Labels:
0 Helpful
2 Replies 2

Alejandro Alcantara
Level 1
Level 1

‎02-29-2016 10:23 AM

By default, traffic from higher Security Level to lower Security Level is allowed and so is the reply traffic as the stateful inspection is on by default, so no Initial ACL is needed.

0 Helpful

ahmad82pkn
Level 2
Level 2

‎02-29-2016 10:25 AM

Resolved it, by adding default route in Switch that was sitting in DMZ.

But its Lan Base Image 3850X, why it needed a default route instead of default gateway ?

 Slot#  License name   Type     Count   Period left
----------------------------------------------------------
 1      lanbase      permanent     N/A   Lifetime

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card