cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
307
Views
0
Helpful
1
Replies

ASA5505 ACL rules - Need DMZ comps to comunicate to inside server

I thought I had this all working, not sure why my DMZ comptuers cant ping the DHCP server (192.168.10.2 CPLserver)

Also my management vlan cant ping my DHCP.

Can someone help me out?

I need the DMZ to communicate only with the CPLserver

I need management to be able to ping any computer on the inside.

I dont want the inside to ping the management.

I only want the CPLserver to communicate with the DMZ.  All other inside computers must not communicate with the DMZ.

Im pretty sure the NAT entries are working correctly. 

Can someone help me out?

: Written by enable_15 at 12:39:47.199 UTC Sun May 12 2013

!

ASA Version 8.2(5)

!

hostname ASA5505CPL

domain-name CPL

names

name 10.10.10.0 DMZ description Public Computers

name 192.168.10.0 Inside description CPL Staff Network

name 192.168.0.0 Management description Cisco equipment  Access only

name 192.168.1.0 default description Not in use

name 192.168.10.2 CPLserver

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 11-13

switchport mode trunk

!

interface Ethernet0/2

switchport access vlan 11

!

interface Ethernet0/3

switchport access vlan 12

!

interface Ethernet0/4

switchport access vlan 13

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

shutdown

nameif default

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan11

description Inside

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan12

nameif dmz

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface Vlan13

description Management

nameif Management

security-level 100

ip address 192.168.0.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name CPL

object-group network obj-10.0.1.0

object-group network obj-10.0.2.0

access-list inside_access_in extended permit ip any any

access-list INSIDE-NAT0 remark NO NAT between Local Networks

access-list INSIDE-NAT0 extended permit ip Inside 255.255.255.0 DMZ 255.255.255.0

access-list INSIDE-NAT0 extended permit ip Inside 255.255.255.0 Management 255.255.255.0

access-list InsidetoDMZ extended permit ip Inside 255.255.255.0 host DMZ

access-list ManagementtoDMZ extended permit ip Management 255.255.255.0 DMZ 255.255.255.0

access-list DMZ-NAT0 remark NO NAT between Local Networks

access-list DMZ-NAT0 extended permit ip DMZ 255.255.255.0 Management 255.255.255.0

access-list DMZ-NAT0 extended permit ip DMZ 255.255.255.0 Inside 255.255.255.0

access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks

access-list MANAGEMENT-NAT0 extended permit ip Management 255.255.255.0 DMZ 255.255.255.0

access-list MANAGEMENT-NAT0 extended permit ip Management 255.255.255.0 Inside 255.255.255.0

access-list DMZtoInside extended permit ip any host CPLserver

access-list DMZtoInside extended permit ip host DMZ host CPLserver

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging buffered debugging

logging asdm debugging

mtu default 1500

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu Management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any dmz

icmp permit any Management

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list INSIDE-NAT0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list DMZ-NAT0

nat (dmz) 1 DMZ 255.255.255.0

nat (Management) 0 access-list MANAGEMENT-NAT0

nat (Management) 1 Management 255.255.255.0

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Inside 255.255.255.0 inside

http Management 255.255.255.240 Management

http Management 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Inside 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

1 Reply 1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

and I had to change the security level of the DMZ to 100

I added these to the ACL  -  My DMZ computers can Ping the file server, but it wont pull a DHCP address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: