Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
4
Replies

Allow access from inside to DMZ

BPGaven00
Level 1
Level 1

‎10-11-2015 09:01 PM - edited ‎03-08-2019 02:10 AM

I have an ASA 5515-X and I'm trying to allow access from the inside to the DMZ.  Here's my basic configuration:

inside 10.0.0.0/24

outside 1.1.1.0/30

DMZ 2.2.2.0/27

The addresses in the DMZ are NAT'd to IP addresses in the inside.  Both DMZ and outside are security level 0.  I want computers on the inside network to be able to access servers via their NAT'd DMZ address.  There is no need for any restrictions on that traffic.  What would be the appropriate rule to allow that traffic?

Labels:
0 Helpful
4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-11-2015 09:50 PM 

I have an ASA 5515-X and I'm trying to allow access from the inside to the DMZ.  Here's my basic configuration:

inside 10.0.0.0/24

outside 1.1.1.0/30

DMZ 2.2.2.0/27

The addresses in the DMZ are NAT'd to IP addresses in the inside.  Both DMZ and outside are security level 0.  I want computers on the inside network to be able to access servers via their NAT'd DMZ address.  There is no need for any restrictions on that traffic.  What would be the appropriate rule to allow that traffic?

Hi,

I hope you have configured security-level for inside interface as 100.if yes, then by thumb rule traffic can flow from higher security to lower security level without any problem.

check out the below link for more information.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81815-generic-ports.html#Security-Levels-1

Hope it Helps..

-GI

Rate if it Helps..

0 Helpful

BPGaven00
Level 1
Level 1
In response to Ganesh Hariharan

‎10-11-2015 10:05 PM

Yes - security level for inside is 100.  Still no dice.  FYI - packet tracer says I'm good but I still can't get traffic from the inside to the DMZ to NAT back to the appropriate inside address.  Is it possible I need to add a NAT exception?

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to BPGaven00

‎10-11-2015 10:23 PM 

Yes - security level for inside is 100.  Still no dice.  FYI - packet tracer says I'm good but I still can't get traffic from the inside to the DMZ to NAT back to the appropriate inside address.  Is it possible I need to add a NAT exception?

Hi,

​So You mean traffic is coming from inside from 10.x.x. network to 2.2.x.x network which is getting tatted to another subnet of DMZ.

What is the packet capture at DMZ interface level showing and is NAT statement done are static nat for DMZ address ?

-GI

0 Helpful

BPGaven00
Level 1
Level 1
In response to Ganesh Hariharan

‎10-11-2015 10:40 PM

Not quite - think of my DMZ as a second outside interface.  All servers are inside.  Egress traffic (for example, to the Exchange server) is handled via a NAT rule that redirects traffic to a particular IP in the DMZ to a particular IP inside and there are appropriate access rules to allow the traffic.  Here's an example of how incoming traffic from the internet routes:

Any internet access wants to connect one of my DMZ addresses, let's say 2.2.2.3.  My ISP routes the traffic to 1.1.1.1 which is the IP address on my outside interface.  A NAT rule translates the destination to 10.0.0.3 and if the access rules permit the connection is established.  That all works perfectly.

Now, here's what I'm trying to get working.  An inside address, let's say 10.0.0.100 wants to connect to that same DMZ address 2.2.2.3.  Initially, my dynamic PAT rule is going to try to translate the source to 1.1.1.1 and deliver it through the outside interface.  First thing I believe I need is an exception to that so that if the source is any inside address and the destination is any DMZ address it's exempted from the default dynamic PAT rule.  Now, there is where I anticipate the problem.  Let's say the ASA takes that traffic and delivers it to the translated destination on the inside network.  It would need to translate the source to the ASA's 2.2.2.1 IP address on the DMZ interface otherwise the host will try to send the return traffic directly back to the source at which point I would expect the packet to be dropped for any number of security reasons.  So, assuming that's all correct, I need settings to do the following:

If traffic from the inside network is destine for the DMZ, it's NAT'd to the DMZ interface and the source is changed to the ASA's DMZ IP address.  The destination is then translated to the appropriate inside address.  With that, the destination on the inside network sees the source as the ASA's DMZ IP address and NOT the actual source also within the inside network.

I would expect it to look something like this:

10.0.0.100 delivers packets to 10.0.0.1 with a destination of 2.2.2.3

ASA translates the source to 2.2.2.1 and the destination to 10.0.0.3

0 Helpful
Customers Also Viewed These Support Documents