Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4989
Views
30
Helpful
25
Replies

Need help with giving devices behind DMZ access to Lan Resources

Go to solution
David Haman
Level 1
Level 1

‎07-06-2010 03:14 PM - edited ‎03-11-2019 11:08 AM

Heres a little background of my setup, I have 1 Isp which assigns me an Ip via dhcp , i have Patted my inside to outside to receive net access, I have also done the same with my Dmz interface which all devices on the Dmz can access the internet. Inside (vlan1) Outside (vlan2) Dmz (vlan3)

I have sucessfully setup rules to access from outside of my network a couple of security cameras to watch my dogs while i am work, my email server etc , plus i have vpn access. works very well. My only issue is i want dmz devices to be able to access and Use my Dns server that sits on the inside , but i have tried so many access list, rules etc and i continuously receive an error that states denied due to dns query. I also want DMZ devices to beable to access network printers (port 9100) that reside on the inside also but i have been unsucessful with this Of course the only way my dmz devices can access internal recourses is if i set the security level to 100 which i do not want to do . Vlan 3 labled dmz is my wireless segment . (as for now i have a second nic on my dns server that is on the 10.10.3.x network going to vlan 3 ) but that is just temp . I want Dmz computers to be able to access internal Dns and AD..etc..I also was wishing that the ASA could allow me to doa  sort of ip helper so my vlan 3 can pull ip addresses from my dhcp server on the dmz network, but for now i have dhcp running on a server for just the inside, and the dmz is pulling dhcp address for clients from the asa dhcp server..I just want the dmz devices to be able to access certain inside resources.

Thanks in advance for any assistance

Here is my config

!
ASA Version 8.3(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
name 10.10.10.254 namesrv0-1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
banner exec Welcome To xxxxxxx
banner login Welcome To xxxxxxx
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server namesrv0-1
domain-name xxxxxxxxx.local
dns server-group vlan3_dns_server
name-server 10.10.3.254(temp)
domain-name dmz.liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
description inside network segment 
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network namesrv0-1
host 10.10.10.254
object network file-serv
host 10.10.10.14
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
description dmz network segment 
object network Dmz_Inside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1(vlan3)
host 10.10.3.254
object network mail-serv
host 10.10.10.25
object network foxclone-rdp-dmz
host 10.10.10.9
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-https eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
logging from-address cisco.alerts@liquidskynet.com
logging recipient-address david.haman@liquidskynet.com level alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
asdm location 10.10.3.25 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface dns
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns namesrv0-1 68.87.73.246 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 10.10.3.254 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside foxclone C:\TFTP-Root
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254 10.10.3.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
username dhaman password xxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxx
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 10.10.10.25
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Labels:
0 Helpful
25 Replies 25

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 01:02 PM

: Saved
: Written by dhaman at 15:57:32.736 EDT Wed Jul 7 2010
!
ASA Version 8.3(1)
!
hostname brickzone
domain-name liquidskynet.local
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 10.10.10.9 foxclone
name 10.10.10.198 netprinter-01
name 10.10.10.14 file-serv
name 10.10.3.190 petcam
name 10.10.10.25 mail-serv
name 10.10.3.191 petcam2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name liquidskynet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.192
object network mail-serv-smtp
host 10.10.10.25
object network mail-serv-https
host 10.10.10.25
object network foxclone
host 10.10.10.9
object network Inside_Outside_Dynamic_Pat
subnet 10.10.10.0 255.255.255.0
object network Dmz_Outside_Dynamic_Pat
subnet 10.10.3.0 255.255.255.0
object network petcam2-http
host 10.10.3.191
object network petcam-http
host 10.10.3.190
object network petcam2-winstream
host 10.10.3.191
object network backup-serv
host 10.10.3.11
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)
object network petcam-todns-to-inside
host 10.10.3.191
object network petcam2-inside-dns
host 10.10.3.191
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in extended permit ip any host 10.10.10.254
access-list dmz_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Tunnel-1_splitTunnelAcl standard permit 10.10.3.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list outside_access_in extended permit tcp any object petcam-http eq 8081
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq https
access-list outside_access_in extended permit tcp any object mail-serv-smtp eq smtp
access-list outside_access_in extended permit tcp any object foxclone eq 7000 inactive
access-list outside_access_in extended permit tcp any object petcam2-http eq 8082
access-list outside_access_in extended permit tcp any object petcam2-winstream eq 81 inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Vpn-1_Pool 192.168.10.10-192.168.10.34 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-631.bin
asdm location petcam 255.255.255.255 inside
asdm location file-serv 255.255.255.255 inside
asdm location mail-serv 255.255.255.255 inside
asdm location petcam2 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.10.0 obj-192.168.10.0
nat (dmz,outside) source static obj-10.10.3.0 obj-10.10.3.0 destination static obj-192.168.10.0 obj-192.168.10.0
!
object network mail-serv-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network mail-serv-https
nat (inside,outside) static interface service tcp https https
object network foxclone
nat (inside,outside) static interface service tcp 7000 7000
object network Inside_Outside_Dynamic_Pat
nat (inside,outside) dynamic interface
object network Dmz_Outside_Dynamic_Pat
nat (dmz,outside) dynamic interface
object network petcam2-http
nat (dmz,outside) static interface service tcp 8082 8082
object network petcam-http
nat (dmz,outside) static interface service tcp 8081 8081
object network petcam2-winstream
nat (dmz,outside) static interface service tcp 81 81
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 60
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns 10.10.10.254 interface inside
dhcpd domain liquidskynet.local interface inside
!
dhcpd address 10.10.3.10-10.10.3.30 dmz
dhcpd dns 68.87.71.230 68.87.73.246 interface dmz
dhcpd domain dmz.liquidskynet.local interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Tunnel-1 internal
group-policy Tunnel-1 attributes
dns-server value 10.10.10.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel-1_splitTunnelAcl
default-domain value liquidskynet.local
group-policy DfltGrpPolicy attributes
dns-server value 10.10.10.254
ip-comp enable
re-xauth enable
pfs enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value Vpn-1_Pool
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
username dhaman password XXXXXXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username dhaman attributes
vpn-group-policy Tunnel-1
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
group-lock none
tunnel-group DefaultRAGroup general-attributes
default-group-policy Tunnel-1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key XXXXXXXXXXXXX
tunnel-group Tunnel-1 type remote-access
tunnel-group Tunnel-1 general-attributes
address-pool Vpn-1_Pool
default-group-policy Tunnel-1
tunnel-group Tunnel-1 ipsec-attributes
pre-shared-keyXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum XXXXXXXXXXX
: end

Here is the Trace

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10428, priority=1, domain=permit, deny=false
        hits=16767, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac10c48, priority=0, domain=permit, deny=true
        hits=464, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to David Haman

‎07-07-2010 01:19 PM

Hello David,

I do not see the DMZ access-list applied to the interface.

access-group dmz_access_in in interface DMZ

Also, the identity NAT between inside and DMZ is missing:

object network namesrv0-1
host 10.10.10.254
description AD,DNS,DHCP(Inside)

nat (inside,dmz) static 10.10.10.254

Please enter these commands and then run the packet tracer again.

packet-tracer input dmz udp 10.10.3.191 1024 10.10.10.254 53 detailed

Hopefully that should tell us where it is getting blocked. Current output indicates that there is not access-list on the DMZ interface.

Regards,

NT

0 Helpful

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 01:43 PM

after i added

access-list dmz_access_in permit ip any host 10.10.10.254

access-list dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit ip any any

I was forgetting

nat (inside,dmz) source static namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group dmz_access_in in interface DMZ

My dmz devices can now use my dns server that sits on the inside interface

Thank you so very  much for your assistance with helping me I really appreciate it, now i have a much better understanding of this

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to David Haman

‎07-07-2010 02:01 PM

Nice to know that things are working now. Glad that we could help.

Regards,

NT

Note: Do not forget to rate the useful posts.

0 Helpful

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 03:07 PM

One last question  could you explain how these  are allowing dmz devices the ability to use the dns server on the inside, is there anyway that i could get more granular with a rule that allows the dmz network (10.10.3.0/24) to use udp 53 located on 10.10.10.254 (dns server)

access-list dmz_access_in permit ip any host 10.10.10.254

access-list  dmz_access_in deny ip any 10.10.10.0 255.255.255.0

access-list  dmz_access_in permit ip any any     (this seems like it would not be safe ) but if i disable then the dmz devices can not use 10.10.10.254 to resolve

nat (inside,dmz) source static  namesrv0-1 namesrv0-1 destination static namesrv0-1 namesrv0-1

access-group  dmz_access_in in interface DMZ

Thanks again

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to David Haman

‎07-07-2010 03:19 PM

When you configured the NAT rule, you basically met one of the criterion required to enable communication between the inside and the DMZ. The requirement is that when you want to communicate between the higher security interface (inside) to lower security interface (DMZ), you need to have a NAT rule specified for the higher security hosts. In your case, since you want to open connection from the DMZ side, you need to have a static rule configured that will allow DMZ host to establish a connection that will be translated correctly to the inside address. If you want to make it more granular, please try the following:

access-list dmz_access_in line 1 permit udp any host 10.10.10.254 eq 53

no access-list dmz_access_in permit ip any host 10.10.10.254

This will ensure that only UDP port 53 traffic is allowed from DMZ to inside and all other traffic initiated by the DMZ towards inside will be blocked.

Hope this answers your questions.

Regards,

NT

Note: Do not forget to rate useful posts.

0 Helpful

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 03:53 PM

now im just figuring out how to have dmz computers access some fileshares (windows port

445 and 139) i believe that sit behind the inside network.

Thank you again for your help

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to David Haman

‎07-07-2010 04:31 PM

Hello David,

You need to follow all the configuration steps similar to one you did for the DNS server.

object network
host

nat (inside,dmz) static

access-list dmz_access_in line 2 permit tcp any host eq

Repeate the above set for every server and the port.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 05:35 PM

Hi Nagaraja,

I wanted to thank you once again, you have helped so much

Thanks

David

0 Helpful

Go to solution
David Haman
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-08-2010 05:45 PM

How do I limit this to just DNS?

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to David Haman

‎07-08-2010 08:22 PM

Hello,

You can control the access using the access-list on the DMZ interface. The last set of access-list I posted will help you in tying down the access to any specific application.

access-list dmz_access_in permit udp any host eq 53  -- This line will ensure that anybody can access the DNS server

access-list dmz_access_in deny ip any -- This line will ensure that all other traffic is blocked to inside subnet

access-list dmz_access_in permit ip any any -- This line will ensure that the DMZ server can go to internet

If you want to allow access to any other server on the inside apart from the DNS server (or any other port on the same device), then you need to insert the access-list entry befor the deny statement.

access-list dmz_access_in permit udp any host eq 53

access-list dmz_access_in permit any host eq   -- Duplicate this line for every server (port) on the inside

access-list dmz_access_in deny ip any

access-list dmz_access_in permit ip any any

If you are trying to access the new servers, please make sure that appropriate NAT rules are entered (like the DNS server).

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card