cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
4
Replies

DMZ to Inside

ASA Version 9.1(7)
interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 182.71.13.74 255.255.255.248

!

interface Ethernet0/1

 nameif CDE

 security-level 100

 ip address 10.153.164.1 255.255.255.0

!

interface Ethernet0/2

 nameif thirdparty

 security-level 100

 ip address 172.26.7.1 255.255.255.0

!

interface Ethernet0/3

 nameif DMZ

 security-level 0

 ip address 172.26.6.1 255.255.255.0

Now

Form CDE to DMZ network is working.

From CDE to Thirdparty network is working.

Required

From DMZ to CDE port 53

And From Trirdparty to CDE port 53 and 443

4 Replies 4

David Castro F.
Spotlight
Spotlight

Hello Rakivant,

Required:

From DMZ to CDE port 53:

access-list dmz_access_in extended permit tcp any any eq 53
access-list dmz_access_in extended permit udp any any eq 53

Note: You may specify the source and destinations

 

And From Trirdparty to CDE port 53 and 443:

access-list thirdparty_acl extended permit tcp any any eq 53
access-list thirdparty_acl extended permit tcp any any eq 443
access-list thirdparty_acl extended permit udp any any eq 53

Note: You may specify the sources coming from The Trirdparty interface to the destination placed into the CDE interface,

Please proceed to rate and mark as correct the helpful Post!

Thanks,

David Castro, 

Dear Team,

Still the traffic is not allowing.

Attached the Screen shot.

Hello Ravikant,

Well, there are a couple of issues, you have not updated the ACL in the access group applied in the Thirdparty interface, please add this ACL for the traffic you tested in the packet tracer:

access-list thirdparty_acl extended permit udp host 172.26.7.197 object DC eq domain

The other mistake was the packet tracer you did, you indicated IP protocol 53, and no UDP 53. Update the ACL and run the same packet tracer and keep me posted,

Please proceed to rate and mark as correct the helpful Post!

Thanks,

David Castro,

Cisco Freak
Level 4
Level 4

Traffic from a higher security level to lower is permitted by default in ASA. Traffic from lower to higher security level is denied by default. But the return traffic for the traffic initiated from higher to lower will also be permitted since ASA is a stateful device.

When you want traffic to flow from lower to higher security-level, you have to permit that in an access-list. Create an access-list permitting that traffic and attach the ACL to the lower security level interface.

The traffic between two interfaces which are at the same security-level is not permitted by default. You have permit it with this command " same-security-traffic permit inter-interface"

CF

Review Cisco Networking for a $25 gift card