can you help me to access DMZ C2 host inside network, i can access from host C1(inside) to DMZ any service.
what configuration should be done to permit access from Inside to DMZ and DMZ to Inside for any service...
The required configuraiton really depends on your current configuration.
If I were to presume that you have no interface ACLs configured then you will need an ACL configured on the DMZ interface since you need to allow traffic to a higher "security-level" interfaces networks.
Typically connections from DMZ to LAN are not allowed that broadly.
Since you are essentially asking to allow all traffic from DMZ to LAN and also need to allow traffic from DMZ to the external network then you could simply add
access-list DMZ-IN remark Allow all traffic from DMZ
access-list DMZ-IN permit ip
access-group DMZ-IN in interface DMZ
Thanks for the reply...
i have one query i add dynamic nat from inside to dmz & i can access dmz host...should i need to add nat from dmz to inside.
in log it is getting error there is no nat translation from dmz to inside....
NAT work in Bidirectional mode , e.g
Suppose you are doing Source NAT form Inside to DMZ . So for the trafiic comming from DMZ to Inside it works as Destination NAT.
And if you want to do Source NAT from DMZ to Inside , then u can do this by :
Doing Destination NAT from Inside to DMZ or Source NAT from DMZ to Inside.
Hope this helps you.
If u had done Source NAT from inside to DMZ and you want source NAT from DMZ to inside, then u have to do NAT for DMZ to inside.
Also make sure that u had open the access for DMZ to inside as told by Jouni.
Hello try this.
object network Inside-Source
object network DMZ-Source
object network Inside-Destination
object network DMZ-Destination
nat (inside,DMZ) source dyanmic Inside-Source DMZ-Destination destination Inside-Destination DMZ-Source
What software version are you using ?
As 8.3 and above wont require NAT for this to work.
Please post the current configuration of ASA
You need a static NAT to go from DMZ to inside. Do you want to allow just C1 or the whole subnet that C1 is on ?
If just C1 then using 192.168.5.10 as C1's IP -
static (inside,DMZ) 192.168.5.10 192.168.5.10 netmask 255.255.255.255
if you want to be able access any inside host on the 192.168.5.0/24 network -
static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
it will be work bidirectional..? DMZ to INSIDE and INSIDE to DMZ....for whole network..
should i add access-list in bothe site..?
Yes, static NAT works both ways.
You would need an access list on the DMZ interface to go to the inside.
Edit - as already stated your acl also needs to allow DMZ traffic to the outside.