Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
5
Helpful
5
Replies

On Communication over inside to dmz ASA 5510

harishrajkv
Level 1
Level 1

‎01-26-2016 08:58 AM - edited ‎02-21-2020 05:42 AM

Hello All,

what all we required when  communicating from Inside(security level 100) to dmz (security level 25) both having private pools .

inside ip 192.168.7.10

dmz ip 192.168.107.10

service rdp .

I know we need to add ACL on DMZ-in apart from that do we need any nat configs ? if yes then why we need and what will be the syntax ?

Thanks in advance.

-

Harish

0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎01-26-2016 09:55 AM

As always: It depends ...

  1. On the DMZ-interface you don't need any ACL. An ACL is only needed on the interface where the traffic is initiated. If the Traffic is sent *to* the DMZ, then the return traffic is automatically allowed through statefull inspection.
  2. If you don't have any ACL on the inside interface, then you are done. Traffic from higher to lower security level is automatically allowed in this case.
  3. If there is an ACL on the inside interface, then add an ACE that allowes this traffic to the RDP-server in the DMZ.
  4. NAT is not needed as you have full routing between inside and DMZ. But if all inside traffic is subject to NAT (as it was typically with ASA versions < 8.3) then you should exempt this traffic from NAT.
0 Helpful

harishrajkv
Level 1
Level 1
In response to Karsten Iwen

‎01-26-2016 10:37 AM

Hello Karsten,

Thanks for the time and your response.

inside to dmz - i think no acl required 100 to 25 security level

dmz to inside - we need acl bcoz the security level is higher on inside , what i taught. Can you confirm if statefull inspection works in this case eg 100 to 25 .

Firewall version is above 8.4 .

Snippet as per my understanding (Let me know if I'm correct or wrong)

-----------------

object network NAT-Source

host 192.168.7.10

object network NAT-Destination

host 192.168.107.10

nat (inside,dmz) source static NAT-Source NAT-Source destination static NAT-Destination NAT-Destination

-------------

Thanks again.

Harish

0 Helpful

Karsten Iwen
VIP
VIP
In response to harishrajkv

‎01-26-2016 11:01 AM

The ASA is a statefull firewall. Allowing the return-traffic is the main purpose of a statefull firewall (in addition to other things).

And the NAT is probably not needed at all.

harishrajkv
Level 1
Level 1
In response to Karsten Iwen

‎01-26-2016 11:38 AM

Thanks and i will definitely get back to you with feedback when i get time working on this. -Harish
0 Helpful

harishrajkv
Level 1
Level 1
In response to Karsten Iwen

‎01-27-2016 07:10 AM

Hello Karsten,

I got the chance of working on the issue. 

There was no access-group called on inside interface and i allowed any traffic , it worked.

 NAT not required.

Thanks you

- Harish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card