cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2159
Views
0
Helpful
7
Replies

Open ports between LANs on ASA Firewall ..

richard_steiner
Level 1
Level 1

Hi Guys,

I am trying to open all ports between two LANs (LAN1= Inside, LAN2= DMZ) on my ASA firewall ..attached is my running config. What commands can I include to achieve this?

 

Thanks for your help ..

Richard

7 Replies 7

Pranay Prasoon
Level 3
Level 3

Hi Richard,

There is some issues with your configuration, you will need to fix it before the two way communication from inside and DMZ will work.

 

1) For allowing all ports for inside to DMZ , you will need to simply allow ports in access-list

access-list acl-inside-outside line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

 

2) However, for allowing traffic from DMZ to inside you will first need to get rid of

global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

 

Reason if the dynamic statement on inside will hide the inside network from any other network

nat (inside) 1 192.168.1.0 255.255.255.0

 

So you will need to create a NAT exempt statement

access-list inside_nat0 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0

and then allow all ports in access-list

access-list acl-dmz-outside line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

 

Thanks

Pranay

 

Hi Pranay,

So achieve my aim, I should run the following commands ..

1) access-list acl-inside-outside line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

2) no global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

3) access-list inside_nat0 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

4) nat (inside) 0 access-list inside_nat0

5) access-list acl-dmz-outside line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0


I noticed that you have used "outside" in the first command, did you mean "DMZ" ?
Also in the 5th command you used "outside" ..did you mean "inside" ?

Thanks for your help ..

Richard

Your current ACL config is

access-group acl-inside-outside in interface inside
access-group acl-dmz-outside in interface dmz

 

And you will need to add ACE's in these access-group. So I named it correctly.

Ok ..thank you so much. I will let you know how it goes when I do the modification.

~Richard

Sure. And also make sure that you have default route pouting to ASA's DMZ interface on  the host machines in DMZ.

shrising
Level 1
Level 1

Hi Richard,

In your configuration, you have already allowed all traffic on both the inside and the dmz interface:

access-list acl-inside-outside extended permit icmp any any
access-list acl-inside-outside extended permit ip any any
access-list acl-dmz-outside extended permit icmp any any
access-list acl-dmz-outside extended permit ip any any

The NAT rules are also correct:

global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0

The firewall should not be dropping any packets between the two segments (i.e. from inside to dmz)

Let me know if you run into any issue.

 

Regards,

Shrinkhala Singhania

"I am trying to open all ports between two LANs (LAN1= Inside, LAN2= DMZ) on my ASA firewall "

 

He is trying to allow traffic both ways, so those NAT statements need to be modified.

 

 

Review Cisco Networking for a $25 gift card