Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2304
Views
5
Helpful
4
Replies

Need help configuring DMZ access on ASA 5505

Go to solution
amardulaimi
Level 1
Level 1

‎01-28-2021 02:49 PM

Hi everyone, I cant seem to get this to work so here's some information about the network and what I need so hoping someone can guide me into configuring this correctly. I'm running ASA 5505 v9.2 ASDM v7.9

inside interface: 10.2.1.1

DMZ interface: 10.20.1.1

DMZ security level is 40

inside security level is 100

I have requirements to allow traffic with the following ports below from 10.20.1.2 (DMZ RODC) to 10.2.1.53 (Inside DC):

 

TCP/UDP 389 

TCP 445 

TCP 5722

TCP/UDP 53 

TCP 135 

TCP 3268 

TCP 88 

TCP/UDP 464

TCP 49152

TCP 59152 

UDP 123

 

Also I cant seem to ping the DMZ from the inside. I have a NAT configured already to translate the inside subnet 10.2.1.0/24 to the DMZ interface but still not able to ping the DMZ network or the DMZ interface from the inside. Am I missing something else ? what needs to be done to correct this ?

 

Thanks in advance

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
TJ-20933766
Spotlight
Spotlight

‎01-28-2021 03:15 PM - edited ‎01-28-2021 03:24 PM

Because the DMZ is a lower security level than the INSIDE zone, we only need to create an access list and apply it to the DMZ interface to allow traffic to go from lower to higher security zones like so:

 

object-group service DMZ-SERVICE
 service-object tcp-udp destination eq 389
 service-object tcp destination eq 445
 service-object tcp destination eq 5722
 service-object tcp-udp destination eq domain
 service-object tcp destination eq 135
 service-object tcp destination eq 3268
 service-object tcp destination eq 88
 service-object tcp-udp destination eq 464
 service-object tcp destination eq 49152
 service-object tcp destination eq 59152
 service-object udp destination eq ntp
!
access-list DMZ-INBOUND extended permit object-group DMZ-SERVICE host 10.20.1.2 host 10.2.1.53
access-list DMZ-INBOUND extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ-INBOUND extended permit ip any any
access-group DMZ-INBOUND in interface DMZ

 

The first line allows the ports as you listed above. The second line denies all other traffic from the DMZ that is destined for the INSIDE zone. The third line allows the DMZ to reach the Internet (remove this line if you don't want the DMZ to be able to reach the Internet).

 

To allow ping through the ASA, perform the following commands:

class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global

View solution in original post

0 Helpful
4 Replies 4

Go to solution
TJ-20933766
Spotlight
Spotlight

‎01-28-2021 03:15 PM - edited ‎01-28-2021 03:24 PM

Because the DMZ is a lower security level than the INSIDE zone, we only need to create an access list and apply it to the DMZ interface to allow traffic to go from lower to higher security zones like so:

 

object-group service DMZ-SERVICE
 service-object tcp-udp destination eq 389
 service-object tcp destination eq 445
 service-object tcp destination eq 5722
 service-object tcp-udp destination eq domain
 service-object tcp destination eq 135
 service-object tcp destination eq 3268
 service-object tcp destination eq 88
 service-object tcp-udp destination eq 464
 service-object tcp destination eq 49152
 service-object tcp destination eq 59152
 service-object udp destination eq ntp
!
access-list DMZ-INBOUND extended permit object-group DMZ-SERVICE host 10.20.1.2 host 10.2.1.53
access-list DMZ-INBOUND extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ-INBOUND extended permit ip any any
access-group DMZ-INBOUND in interface DMZ

 

The first line allows the ports as you listed above. The second line denies all other traffic from the DMZ that is destined for the INSIDE zone. The third line allows the DMZ to reach the Internet (remove this line if you don't want the DMZ to be able to reach the Internet).

 

To allow ping through the ASA, perform the following commands:

class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
0 Helpful

Go to solution
amardulaimi
Level 1
Level 1

‎01-28-2021 03:46 PM

@TJ-20933766  what about the NAT policy for DMZ to inside don't I need that too ? as those are two different subnets?

Go to solution
TJ-20933766
Spotlight
Spotlight

‎01-28-2021 04:25 PM

NAT is not required between the DMZ and the INSIDE zones. NAT is only required when the DMZ or INSIDE zones need to send traffic to the Internet (OUTSIDE zone). This is because you are translating the private IP address space (RFC-1918 https://tools.ietf.org/html/rfc1918) to public IP addresses when communicating with the Internet.

0 Helpful

Go to solution
amardulaimi
Level 1
Level 1

‎01-28-2021 04:51 PM - edited ‎01-28-2021 04:52 PM

@TJ-20933766  ok yes I'm aware that private addresses need NAT to access the internet I thought I also needed NAT between inside and DMZ. I will try the above solution for DMZ to inside. btw I can ping the DMZ hosts now from the inside but not the DMZ interface 10.20.1.1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card