03-18-2016 05:55 AM - edited 03-08-2019 05:01 AM
ASA Version 9.1(7)
interface Ethernet0/0
nameif outside
security-level 0
ip address 182.71.13.74 255.255.255.248
!
interface Ethernet0/1
nameif CDE
security-level 100
ip address 10.153.164.1 255.255.255.0
!
interface Ethernet0/2
nameif thirdparty
security-level 100
ip address 172.26.7.1 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 0
ip address 172.26.6.1 255.255.255.0
Now
Form CDE to DMZ network is working.
From CDE to Thirdparty network is working.
Required
From DMZ to CDE port 53
And From Trirdparty to CDE port 53 and 443
03-18-2016 07:34 AM
Hello Rakivant,
Required:
From DMZ to CDE port 53:
access-list dmz_access_in extended permit tcp any any eq 53
access-list dmz_access_in extended permit udp any any eq 53
Note: You may specify the source and destinations
And From Trirdparty to CDE port 53 and 443:
access-list thirdparty_acl extended permit tcp any any eq 53
access-list thirdparty_acl extended permit tcp any any eq 443
access-list thirdparty_acl extended permit udp any any eq 53
Note: You may specify the sources coming from The Trirdparty interface to the destination placed into the CDE interface,
Please proceed to rate and mark as correct the helpful Post!
Thanks,
David Castro,
03-25-2016 11:11 PM
04-09-2016 12:29 PM
Hello Ravikant,
Well, there are a couple of issues, you have not updated the ACL in the access group applied in the Thirdparty interface, please add this ACL for the traffic you tested in the packet tracer:
access-list thirdparty_acl extended permit udp host 172.26.7.197 object DC eq domain
The other mistake was the packet tracer you did, you indicated IP protocol 53, and no UDP 53. Update the ACL and run the same packet tracer and keep me posted,
Please proceed to rate and mark as correct the helpful Post!
Thanks,
David Castro,
03-18-2016 08:52 AM
Traffic from a higher security level to lower is permitted by default in ASA. Traffic from lower to higher security level is denied by default. But the return traffic for the traffic initiated from higher to lower will also be permitted since ASA is a stateful device.
When you want traffic to flow from lower to higher security-level, you have to permit that in an access-list. Create an access-list permitting that traffic and attach the ACL to the lower security level interface.
The traffic between two interfaces which are at the same security-level is not permitted by default. You have permit it with this command " same-security-traffic permit inter-interface"
CF
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide