Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
0
Helpful
5
Replies

Manage hosts on DMZ from Inside network

Go to solution
razorbakill
Level 1
Level 1

‎03-21-2015 05:54 AM - edited ‎03-11-2019 10:40 PM

Hello,

 

I've setup a ASA5505 with basic license running version 8.2 using all 3 interfaces, outside, inside, and the dmz. All is working as it should with the inside and dmz interfaces being able to access the outside and get to the internet.

The issue i'm having is being able to ping or manage any devices from the inside network to any devices on the dmz. Being that the inside has a higher security level, I thought that it would communicate with the dmz at a lower security level.

I'm obviously missing something and more configuration is needed. I've tried several suggestions with nat and static nat but still not working.

I have uploaded my config. Any help on this issue would be greatly appreciated.

 


 

Labels:
Preview file
8 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to razorbakill

‎03-21-2015 08:17 AM

I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network.

My apologies, I think I gave you incorrect information and your understanding is correct.

Can you add this to your configuration and try again -

"global (DMZ) 1 interface"

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-21-2015 06:12 AM

With the base license you can't do this.

Notice this command under your DMZ interface -

no forward interface Vlan1

this is a restriction with the license you have. Your DMZ is only allowed to talk to one other interface and naturally you want that to be the outside interface.

You would need a license upgrade to be able to communicate between all interfaces.

Jon

0 Helpful

Go to solution
razorbakill
Level 1
Level 1
In response to Jon Marshall

‎03-21-2015 08:09 AM

I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network. I'm trying to have the inside interface initiate the communication to the DMZ network, which would then reply to the inside network.

So for instance if I had a web server on the DMZ network, should it not be that any device on the inside network could initiate communication to the web server in the DMZ?

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to razorbakill

‎03-21-2015 08:17 AM

I was under the impression that the "no forward interface vlan1" on the DMZ interface was so the DMZ could not initiate communication to the inside network.

My apologies, I think I gave you incorrect information and your understanding is correct.

Can you add this to your configuration and try again -

"global (DMZ) 1 interface"

Jon

0 Helpful

Go to solution
razorbakill
Level 1
Level 1
In response to Jon Marshall

‎03-21-2015 09:19 AM

That did it! Thanks so much for your for your help Jon. It is greatly appreciated.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎03-21-2015 06:02 PM

Instead of NATing to the DMZ, you could also configure NAT-Exemption for the traffic from inside to DMZ:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

With that, your DMZ-systems see the real IPs of your inside hosts. That's what I prefer for internal communication.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card