Host in VLAN in Layer 3 cannot connect to Internet through ASA55

ChhunSophea · ‎01-21-2012

Dear all,

I want DMZ1 talk to VLAN99 with port 1433.

Please, find the attached file and comment.

Thanks.

Edison Ortiz · ‎01-21-2012

Modify the following in the switch:

ip access-list extended DENY_ISA

deny ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255

deny ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255

deny ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255

permit ip any any

interface Vlan124

ip address 192.168.192.1 255.255.255.0

ip access-group (missing ACL)

in the ASA:

route LAN 192.168.122.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.123.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.192.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.125.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.126.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.127.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.128.0 255.255.255.0 192.168.121.2 1

ebarticel · ‎02-10-2012

I had a look at your original switch configuration and the acl for vlan 125 is denying everyone, it doesnt have a permit statement at the end.

ip access-list extended DENY_ISA

deny ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255

deny ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255

deny ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255

It needs a permit statement like Edison mentioned

Also the output of your ASA has some typing mistakes and I wonder if it is because of copy-paste or has been configured like that.

access-list NO-NAT extended permit ip 192.168.1 what network or ip refers too?

access-list DMZ_IN extended deny ip 192.168.120.0 255.255.255.0 192.168.123.0 25

5.255.255.0 all other statements have 55.255.255.0

I think you should check the all the typing mistakes first and then change it around.

Eugen

How to allow DMZ access to LAN with specific port?