11-25-2013 05:12 PM - edited 03-11-2019 08:09 PM
hi everyone,
I just inherit an ASA from the previous System Admin and I need to configure it to allow a server sitting on DMZ to communicate with 2 (failover) servers on INSIDE zone on various UPD and TCP port.
DMZ host : 192.168.3.202
INSIDE host 1: 192.168.2.122
INSIDE host 2: 192.168.2.123
I couldn't get the DMZ host to talk to the INSIDE host at all. Can you help me look at my configuration? For testing, i even added the 3 lines that I high-light in Orange to see if the communication go through or not.
!---------------------------------------------------------------------------
! DMZ_Access_IN ACL
!---------------------------------------------------------------------------
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.122 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.122 eq 4500
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 8009
access-list dmz_access_in extended permit tcp host 192.168.3.202 host 192.168.2.123 eq 4001
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq isakmp
access-list dmz_access_in extended permit udp host 192.168.3.202 host 192.168.2.123 eq 4500
access-list dmz_access_in extended permit ip host 192.168.3.202 host 192.168.2.122
access-list dmz_access_in extended permit ip any host 192.168.2.122
access-list dmz_access_in extended permit icmp any host 192.168.2.1
access-list dmz_access_in extended deny ip any 192.168.2.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
global (dmz) 1 interface
nat (dmz) 1 192.168.3.0 255.255.255.0
static (dmz,outside) x.x.x.x 192.168.3.202 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
Solved! Go to Solution.