cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
557
Views
0
Helpful
2
Replies

Help: connect DMZ to other network

claudiojeldesv
Level 1
Level 1

Hi my friends, I need help pliss, i am newbie.

I have a ASA 5505 with security plus licence and I need permit access to 10.10.1.1 2 from DMZ. The network 10.10.1.1 can be accessed via 192.168.111.254 and this network is secure.. If I do a ping to 10.10.1.1 from ASA, the network is susses, but from DMZ it not working...

note: I have a static route configured in "Network3" and NAT for "DMZ" and access list 
 

Thanks!

interface Vlan1
 description OUTSIDE
 nameif outside
 security-level 0
 ip address IP-PUBLICA 255.255.255.248
!
interface Vlan2
 description INSIDE
 nameif inside
 security-level 100
 ip address 192.168.1.249 255.255.255.0
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan10
 no nameif
 no security-level
 no ip address
!
interface Vlan20
 nameif network3
 security-level 100
 ip address 192.168.111.254 255.255.255.0

 

access-list outside_access extended permit tcp any any eq ssh
access-list inside_nat0_outbound extended permit ip any 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list OutsideToInside extended permit object-group TCPUDP any interface outside eq www
access-list OutsideToInside extended permit object-group TCPUDP any interface outside eq domain
access-list OutsideToInside extended permit tcp any interface outside object-group sqlserver
access-list OutsideToInside extended permit udp any interface outside object-group sqlserver2
access-list OutsideToInside extended permit tcp any interface outside eq smtp
access-list OutsideToInside extended permit tcp any interface outside eq pop3
access-list OutsideToInside extended permit tcp any interface outside object-group pop3ssl
access-list OutsideToInside extended permit tcp any interface outside object-group smtpssl
access-list OutsideToInside extended permit tcp any interface outside eq https
access-list OutsideToInside extended permit tcp any interface outside object-group DM_INLINE_TCP_2
access-list OutsideToInside extended permit tcp any interface outside eq imap4
access-list OutsideToInside extended permit tcp any interface outside object-group Web-NVR
access-list inside_access_in extended permit ip any any
access-list dmz extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz extended permit ip any any
access-list dmz_access_in extended permit tcp any 10.10.1.1 255.255.255.0 object-group rdp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu network31500
ip local pool Tunnel-CISCO 192.168.1.90-192.168.1.99 mask 255.255.255.0
ip local pool Tunnel-Assurance 192.168.100.224-192.168.100.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (network3) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list inside_nat0_outbound
nat (dmz) 1 192.168.0.0 255.255.255.0

static (outside,inside) tcp interface 3389 IP-PUBLICA 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 NVR 8080 netmask 255.255.255.255
static (dmz,outside) udp interface domain ISP_Config domain netmask 255.255.255.255
static (dmz,outside) tcp interface domain ISP_Config domain netmask 255.255.255.255
static (dmz,outside) tcp interface www ISP_Config www netmask 255.255.255.255
static (dmz,outside) tcp interface https WebServer https netmask 255.255.255.255
static (dmz,outside) tcp interface ftp ISP_Config ftp netmask 255.255.255.255
static (dmz,outside) tcp interface 81 WebServer 81 netmask 255.255.255.255
static (dmz,outside) tcp interface 1433 WebServer 1433 netmask 255.255.255.255
static (dmz,outside) udp interface 1434 WebServer 1434 netmask 255.255.255.255
static (dmz,outside) tcp interface smtp ISP_Config smtp netmask 255.255.255.255
static (dmz,outside) tcp interface pop3 ISP_Config pop3 netmask 255.255.255.255
static (dmz,outside) tcp interface 995 ISP_Config 995 netmask 255.255.255.255
static (dmz,outside) tcp interface 465 ISP_Config 465 netmask 255.255.255.255
static (dmz,outside) tcp interface imap4 ISP_Config imap4 netmask 255.255.255.255
static (dmz,outside) tcp interface 5150 Test-WebServer 5150 netmask 255.255.255.255
static (dmz,outside) tcp interface 5160 Test-WebServer 5160 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group OutsideToInside in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 190.196.128.233 1
route network3 10.10.1.1 255.255.255.0 192.168.111.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 4434
http 192.168.100.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 dmz

 

 

 

1 Accepted Solution

Accepted Solutions