03-12-2018 12:57 AM - edited 02-21-2020 07:30 AM
Hi All
i have ASA 5525 connected to DMZ server cisco2960 and core switch 4500 series(VSS configured on it) and i connected asa5525 with the core switch using port channel and i want the dmz network to access the internal core side network and vice versa so what should i do ?
Internal network 172.20.x.x
Dmz Network 192.168.x.x
Regards,
03-12-2018 01:16 AM
Create an acl statement on the firewall to permit inside ip address to reach the dmz and vice versa.
e.g
DMZ interface : access-group dmz_access_in in interface DMZ
Inside interface: access-group inside_access_in in interface Inside
access-list inside_access_in extended permit tcp 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0
access-list dmz_access_in extended permit tcp 192.168.*.* 2555.255.0.0 172.20.*.* 255.255.0.0 192.168.*.* 2555.255.0.0
core switch 4500
Create a route for the internal network to reach the dmz ip through the gateway btw the firewall and your core switch.
Though i think it is better you have specific servers on the inside network you want specific servers on the dmz to communicate with.
In this case, you can create an object group and grant permissions based on these object group.
03-12-2018 01:34 AM
03-12-2018 01:42 AM
Kindly share but do remember to remove sensitive information
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide