01-21-2012 08:53 AM - edited 03-04-2019 02:58 PM
Dear all,
I want DMZ1 talk to VLAN99 with port 1433.
Please, find the attached file and comment.
Thanks.
01-21-2012 01:59 PM
Modify the following in the switch:
ip access-list extended DENY_ISA
deny ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255
deny ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255
deny ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255
permit ip any any
interface Vlan124
ip address 192.168.192.1 255.255.255.0
ip access-group (missing ACL)
in the ASA:
route LAN 192.168.122.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.123.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.192.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.125.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.126.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.127.0 255.255.255.0 192.168.121.2 1
route LAN 192.168.128.0 255.255.255.0 192.168.121.2 1
02-10-2012 07:11 PM
I had a look at your original switch configuration and the acl for vlan 125 is denying everyone, it doesnt have a permit statement at the end.
ip access-list extended DENY_ISA
deny ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255
deny ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255
deny ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255
It needs a permit statement like Edison mentioned
Also the output of your ASA has some typing mistakes and I wonder if it is because of copy-paste or has been configured like that.
access-list NO-NAT extended permit ip 192.168.1 what network or ip refers too?
access-list DMZ_IN extended deny ip 192.168.120.0 255.255.255.0 192.168.123.0 25
5.255.255.0 all other statements have 55.255.255.0
I think you should check the all the typing mistakes first and then change it around.
Eugen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide