03-21-2015 05:54 AM - edited 03-11-2019 10:40 PM
Hello,
I've setup a ASA5505 with basic license running version 8.2 using all 3 interfaces, outside, inside, and the dmz. All is working as it should with the inside and dmz interfaces being able to access the outside and get to the internet.
The issue i'm having is being able to ping or manage any devices from the inside network to any devices on the dmz. Being that the inside has a higher security level, I thought that it would communicate with the dmz at a lower security level.
I'm obviously missing something and more configuration is needed. I've tried several suggestions with nat and static nat but still not working.
I have uploaded my config. Any help on this issue would be greatly appreciated.
Solved! Go to Solution.
03-21-2015 08:17 AM
I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network.
My apologies, I think I gave you incorrect information and your understanding is correct.
Can you add this to your configuration and try again -
"global (DMZ) 1 interface"
Jon
03-21-2015 06:12 AM
With the base license you can't do this.
Notice this command under your DMZ interface -
no forward interface Vlan1
this is a restriction with the license you have. Your DMZ is only allowed to talk to one other interface and naturally you want that to be the outside interface.
You would need a license upgrade to be able to communicate between all interfaces.
Jon
03-21-2015 08:09 AM
I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network. I'm trying to have the inside interface initiate the communication to the DMZ network, which would then reply to the inside network.
So for instance if I had a web server on the DMZ network, should it not be that any device on the inside network could initiate communication to the web server in the DMZ?
03-21-2015 08:17 AM
I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network.
My apologies, I think I gave you incorrect information and your understanding is correct.
Can you add this to your configuration and try again -
"global (DMZ) 1 interface"
Jon
03-21-2015 09:19 AM
That did it! Thanks so much for your for your help Jon. It is greatly appreciated.
03-21-2015 06:02 PM
Instead of NATing to the DMZ, you could also configure NAT-Exemption for the traffic from inside to DMZ:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
With that, your DMZ-systems see the real IPs of your inside hosts. That's what I prefer for internal communication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide