Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
4
Replies

DMZ to INSIDE subnet access

imanco671
Level 1
Level 1

‎11-10-2011 09:09 AM - edited ‎03-04-2019 02:14 PM

Hello Community,

I have a DMZ and an INISDE. I want to allow FTP traffic from one DMZ server to a particular FTP server on another subnet not handled by my ASA.

My ASA has a DMZ interface, INSIDE interface.

My INSIDE interface is connected to many other subnets via internal router.

So my DMZ server will have to go through the INSIDE itnerface subnet to reach this FTP server.

DMZ server: 192.168.220.21

FTP server: 10.10.10.5

INSIDE subnet: 192.168.210.0

Thanks in Advance.

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎11-10-2011 10:46 AM

Hi,

Post your current sanitized config and we will tell you the commands to add or modify

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Manouchehr
Level 1
Level 1

‎11-10-2011 11:10 AM

You need to add an ACL on ASA to allow access from DMZ to INSIDE and make sure that you have the routing that your FTP_Subnet can reach back to DMZ subnet and vice versa...

Should you still have issues please post your config...

Regards,

Manny

0 Helpful

imanco671
Level 1
Level 1
In response to Manouchehr

‎11-16-2011 07:29 AM

Hello guys,

Sorry for the delay.

I am not sure if this command is correct:

access-list dmz_in extended permit tcp host 192.168.220.21 host 10.10.10.5 eq ftp

access-group dmz_in in interface inside

I definately dont think my access-group command is correct, but I think i'm close on my ACL. I dont have an access group for my dmz to inside (which I assume I need one)

I am also wondering if I need a static each dmz to inside opened port.

static (DMZ,inside) 10.10.10.5 192.168.220.21 netmask 255.255.255.255

Thanks

John

ciscodemo# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscodemo

domain-name arl.com

enable passworU.Tf7HhdwWvVGT3h encrypted

passwd 2KFQnIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xx.xx.66 255.255.255.224

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.220.222 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.210.222 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name ari.com

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www

access-list outside_in extended permit tcp any host 173.xxx.xx.71 eq www

access-list vpn standard permit host 0.0.0.0

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.220.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.210.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

ip local pool DMZ230 192.168.230.100-192.168.230.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.210.0 255.255.255.0

nat (inside) 1 192.168.230.0 255.255.255.0

static (DMZ,outside) 173.xxx.xx.70 192.168.220.10 netmask 255.255.255.255

static (DMZ,outside) 173.xxx.xx.71 192.168.220.21 netmask 255.255.255.255

access-group outside_in in interface outside

!

router rip

network 192.168.210.0

network 192.168.220.0

passive-interface DMZ

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 173.xxx.xx.65 1

route outside 192.168.230.0 255.255.255.0 192.168.210.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.210.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

enable DMZ

svc enable

group-policy DMZAccess internal

group-policy DMZAccess attributes

vpn-tunnel-protocol IPSec svc

split-tunnel-policy excludespecified

split-tunnel-network-list value vpn

default-domain value arisgl.com

username syn-client4 password dIb97qfm6shciivc encrypted privilege 0

username syn-client4 attributes

vpn-group-policy DMZAccess

username syn-client5 password dIb97qfm6shciivc encrypted privilege 0

username syn-client5 attributes

vpn-group-policy DMZAccess

username syn-client2 password dIb97qfm6shciivc encrypted privilege 0

username syn-client2 attributes

vpn-group-policy DMZAccess

username syn-client3 password dIb97qfm6shciivc encrypted privilege 0

username syn-client3 attributes

vpn-group-policy DMZAccess

username syn-client1 password dIb97qfm6shciivc encrypted privilege 0

username syn-client1 attributes

vpn-group-policy DMZAccess

tunnel-group DMZAccess type remote-access

tunnel-group DMZAccess general-attributes

address-pool DMZ230

default-group-policy DMZAccess

tunnel-group DMZAccess ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ftp

  inspect ipsec-pass-thru

  inspect http

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:56c4f0314ac58686164da17

: end

ciscodemo#

0 Helpful

acomiskey
Level 10
Level 10
In response to Manouchehr

‎11-16-2011 08:08 AM

access-list dmz_in extended permit tcp host 192.168.220.21 host 10.10.10.5 eq ftp

access-group dmz_in in interface inside

The access-list is correct, the access-group is not. Should be

access-group dmz_in in interface DMZ

Also add

static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Also this route isn't making sense to me as you said that the 192.168.210.0 network is inside. Therefore the path to to 230 network would not be on the outside inteface towards 192.168.210.222.

route outside 192.168.230.0 255.255.255.0 192.168.210.222 1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card