Sure. And also make sure that

richard_steiner · ‎04-16-2015

Hi Guys,

I am trying to open all ports between two LANs (LAN1= Inside, LAN2= DMZ) on my ASA firewall ..attached is my running config. What commands can I include to achieve this?

Thanks for your help ..

Richard

Pranay Prasoon · ‎04-16-2015

Hi Richard,

There is some issues with your configuration, you will need to fix it before the two way communication from inside and DMZ will work.

1) For allowing all ports for inside to DMZ , you will need to simply allow ports in access-list

access-list acl-inside-outside line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

2) However, for allowing traffic from DMZ to inside you will first need to get rid of

global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

Reason if the dynamic statement on inside will hide the inside network from any other network

nat (inside) 1 192.168.1.0 255.255.255.0

So you will need to create a NAT exempt statement

access-list inside_nat0 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0

and then allow all ports in access-list

access-list acl-dmz-outside line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Thanks

Pranay

richard_steiner · ‎04-17-2015

Hi Pranay,

So achieve my aim, I should run the following commands ..

1) access-list acl-inside-outside line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

2) no global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

3) access-list inside_nat0 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

4) nat (inside) 0 access-list inside_nat0

5) access-list acl-dmz-outside line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

I noticed that you have used "outside" in the first command, did you mean "DMZ" ?
Also in the 5th command you used "outside" ..did you mean "inside" ?

Thanks for your help ..

Richard

Pranay Prasoon · ‎04-17-2015

Your current ACL config is

access-group acl-inside-outside in interface inside
access-group acl-dmz-outside in interface dmz

And you will need to add ACE's in these access-group. So I named it correctly.

richard_steiner · ‎04-17-2015

Ok ..thank you so much. I will let you know how it goes when I do the modification.

~Richard

Pranay Prasoon · ‎04-17-2015

Sure. And also make sure that you have default route pouting to ASA's DMZ interface on the host machines in DMZ.

shrising · ‎04-16-2015

Hi Richard,

In your configuration, you have already allowed all traffic on both the inside and the dmz interface:

access-list acl-inside-outside extended permit icmp any any
access-list acl-inside-outside extended permit ip any any
access-list acl-dmz-outside extended permit icmp any any
access-list acl-dmz-outside extended permit ip any any

The NAT rules are also correct:

global (dmz) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0

The firewall should not be dropping any packets between the two segments (i.e. from inside to dmz)

Let me know if you run into any issue.

Regards,

Shrinkhala Singhania

Pranay Prasoon · ‎04-17-2015

"I am trying to open all ports between two LANs (LAN1= Inside, LAN2= DMZ) on my ASA firewall "

He is trying to allow traffic both ways, so those NAT statements need to be modified.

Open ports between LANs on ASA Firewall ..