Solved: problem to enter from inside to dmz

BENJAMIN FUERTES · ‎04-27-2011

Hi

In my inside network we have more than 2 vlans and we want that the inside network access to the server that are in the dmz.

I have try many ways and i would like if some can help to understand how i have to do it.

dmz network: 192.169.120.0 255.255.255.0

object-group LAN
172.10.10.0 /24
172.10.20.0 /24
172.10.30.0 /24

access-list Inside extended permit ip object-group LAN 192.169.120.0 255.255.255.0

access-list DMZ extended permit ip any any

access-group Inside in interface inside
access-group DMZ in interface dmz

for example we made this:

access-list INSIDE extended permit ip host 192.168.120.5 192.168.120.0 255.255.255.240
access-list DMZ extended permit ip any any

static (inside,DMZ) 192.168.120.5 172.10.10.4 netmask 255.255.255.255

the ip 172.10.10.4 pc of my inside network

witch that example y could access to dmz switch.
but when i tray to to this:
static (inside,DMZ) access-lis INSIDE 172.10.10.4 netmask 255.255.255.255
I have and error : ERROR: access-list used in static has different local addresses

Thanks for any help that can provide me.

Maykol Rojas · ‎04-27-2011

Hello,

If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example:

The same NAT you have for internet access (In case you have) would be like this:

nat (inside) 1 0 0

global (outside) 1 interface

You can just add the following global

global (DMZ) 1 interface

Same as the other cases, best troubleshooting tool to check where the access is being broken,

packet-tracer input inside tcp 1025 80

That would give you the information about the packet, where and when it is being dropped.

Cheers

Mike.

Mike

View solution in original post

Maykol Rojas · ‎04-27-2011

Hello,

If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example:

The same NAT you have for internet access (In case you have) would be like this:

nat (inside) 1 0 0

global (outside) 1 interface

You can just add the following global

global (DMZ) 1 interface

Same as the other cases, best troubleshooting tool to check where the access is being broken,

packet-tracer input inside tcp 1025 80

That would give you the information about the packet, where and when it is being dropped.

Cheers

Mike.

Mike

kiran kumar Chamakura · ‎04-28-2011

Hi Mike,

I do had the same problem, and it got resolved by your answer given for this post.

Thank you Very Much

Regards

Kiran Kumar CH

BENJAMIN FUERTES · ‎04-28-2011

Hello,

Thanks for ur help.

1. So if i want that interface that have a higher level go to a lower level i have to make a simple PAT as you said,

I did what u said and works but with that configuration pc on the dmz can enter to inside or i have to do something else?.

2.If i want that only pc from dmz access to inside what i have to do because i want to access from lower interface to higher interface ?

Regards