04-27-2011 10:09 AM - edited 03-11-2019 01:26 PM
Hi
In my inside network we have more than 2 vlans and we want that the inside network access to the server that are in the dmz.
I have try many ways and i would like if some can help to understand how i have to do it.
dmz network: 192.169.120.0 255.255.255.0
object-group LAN
172.10.10.0 /24
172.10.20.0 /24
172.10.30.0 /24
access-list Inside extended permit ip object-group LAN 192.169.120.0 255.255.255.0
access-list DMZ extended permit ip any any
access-group Inside in interface inside
access-group DMZ in interface dmz
for example we made this:
access-list INSIDE extended permit ip host 192.168.120.5 192.168.120.0 255.255.255.240
access-list DMZ extended permit ip any any
static (inside,DMZ) 192.168.120.5 172.10.10.4 netmask 255.255.255.255
the ip 172.10.10.4 pc of my inside network
witch that example y could access to dmz switch.
but when i tray to to this:
static (inside,DMZ) access-lis INSIDE 172.10.10.4 netmask 255.255.255.255
I have and error : ERROR: access-list used in static has different local addresses
Thanks for any help that can provide me.
Solved! Go to Solution.
04-27-2011 02:54 PM
Hello,
If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example:
The same NAT you have for internet access (In case you have) would be like this:
nat (inside) 1 0 0
global (outside) 1 interface
You can just add the following global
global (DMZ) 1 interface
Same as the other cases, best troubleshooting tool to check where the access is being broken,
packet-tracer input inside tcp
That would give you the information about the packet, where and when it is being dropped.
Cheers
Mike.
04-27-2011 02:54 PM
Hello,
If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example:
The same NAT you have for internet access (In case you have) would be like this:
nat (inside) 1 0 0
global (outside) 1 interface
You can just add the following global
global (DMZ) 1 interface
Same as the other cases, best troubleshooting tool to check where the access is being broken,
packet-tracer input inside tcp
That would give you the information about the packet, where and when it is being dropped.
Cheers
Mike.
04-28-2011 03:25 AM
Hi Mike,
I do had the same problem, and it got resolved by your answer given for this post.
Thank you Very Much
Regards
Kiran Kumar CH
04-28-2011 12:19 PM
Hello,
Thanks for ur help.
1. So if i want that interface that have a higher level go to a lower level i have to make a simple PAT as you said,
I did what u said and works but with that configuration pc on the dmz can enter to inside or i have to do something else?.
2.If i want that only pc from dmz access to inside what i have to do because i want to access from lower interface to higher interface ?
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide