ā03-23-2012 10:36 PM - edited ā03-04-2019 03:47 PM
Dear boss
Please see attached my network diagram and following configuration.
interface Ethernet0/0
nameif local
security-level 100
ip address 192.168.0.243 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.252
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.29.1.1 255.255.255.0
access-list DMZTOLocal extended permit ip host 192.168.0.241 192.168.0.0 255.255.0.0
static (DMZ,local) 192.168.0.241 172.29.1.5 netmask 255.255.255.255
access-group DMZTOLocal out interface local
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
I get ping and access to 192.168.0.241(172.29.1.5) from 192.168.0.0/16, but cant get access and ping from 172.29.1.5 to 192.168.0.0/16.
what can i do if i want to get ping from DMZ to local ? ??
Please suggest me.
Thanking u
Shahid
Solved! Go to Solution.
ā03-24-2012 06:01 AM
Shahid,
The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.
As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.
access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0
access-group FromDMZ in interface DMZ
John
Please rate useful posts...
ā03-24-2012 06:01 AM
Shahid,
The ASA/Pix firewalls allow you to go from a higher security level to lower security level by default, but blocks traffic coming the other direction. You'll need to add an acl on the dmz interface allowing the traffic into you local lan from the dmz.
As a side not, is there a reason that you're natting into the DMZ from your local side? You shouldn't if you can help it.
access-list FromDMZ permit icmp host 172.29.1.5 192.168.0.0 255.255.255.0
access-group FromDMZ in interface DMZ
John
Please rate useful posts...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide