cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
8
Helpful
18
Replies

Created DMZ

Nhut
Level 1
Level 1

Hello everyone, please help me. I want to create 3 sections: INSIDE, OUTSIDE and DMZ. With OUTSIDE it is possible to ping, and access services in the DMZ. INSIDE also does the same thing and it has the addition of being able to ping OUTSIDE(8.8.8.8), only INSIDE can ping OUTSIDE, not the reverse (OUTSIDE cannot ping INSIDE), I used the following methods: rules like 

access-list DMZ-ACCESS extended permit icmp any any

access-list DMZ-ACCESS extended permit tcp any any eq www

access-list DMZ-ACCESS extended permit tcp any any eq 8080

access-list DMZ-ACCESS extended permit tcp any any eq domain

access-list DMZ-ACCESS extended permit udp any any eq domain

access-list DMZ-ACCESS extended permit udp any any eq bootps

access-list DMZ-ACCESS extended permit udp any any eq bootpc

access-list INTERNET-ACCESS extended permit icmp any any

access-list INTERNET-ACCESS extended permit tcp any any eq domain

access-list INTERNET-ACCESS extended permit udp any any eq domain

access-list INTERNET-ACCESS extended permit tcp any any eq www

access-list INTERNET-ACCESS extended permit tcp any any eq 8080

access-list INTERNET-ACCESS extended permit tcp any any

access-list IN-DMZ extended permit tcp any any

access-list IN-DMZ extended permit udp any any

access-group DMZ-ACCESS in interface DMZ

access-group IN-DMZ out interface INSIDE

access-group INTERNET-ACCESS in interface OUTSIDE 

I have applied the above rules but web access to DMZ is not possible. And what I don't want is for OUTSIDE to be able to access INSIDE. So please help me everyone 

Nhut_0-1728835596929.png

 

2 Accepted Solutions

Accepted Solutions

@Nhut 

 Attach the packet tracer file here instead. zip it first

View solution in original post

I believe this is it. Some things I did with ACL and some with inspect. ASA in PacketTracer is a bit buggy. Hope that helps

View solution in original post

18 Replies 18

@Nhut 

 Attach the packet tracer file here instead. zip it first

I don't know how to get that file, can you help me?

Sure. In the packet tracer, go to file, save as, choose a folder on your pc and save the file.

After that, right click on the file, go to "send to" and use the option "zip folder". Then, attached the zipped folder here

 

ASA's password is Cisco

ASA's password is Cisco

I made some changes and I believe it is working as intended for ICMP at least. Take a look and tell me.

Nhut
Level 1
Level 1

Thank you very much, can you help me with one more thing: can the computers in INSIDE and OUTSIDE access the web?

I believe this is it. Some things I did with ACL and some with inspect. ASA in PacketTracer is a bit buggy. Hope that helps

Thank you, can you explain to me why I'm wrong?

Not say you are wrong actually but the ASA in the PacketTracer is a bit buggy as I said and this can add some challanges.

 For example, ASA does not work well with OSPF, when working with ASA on PacketTracer, give preference to static route.

 The ACL was correct but it was presenting weird behavior. Basically, if you have a interface with Security level of 100 (inside), the traffic toward interface with securoty level 0 (outside) is allowed as long as you have inspection.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp

inspect icmp

inspect http

With this configuration, you dont need to add ACL and make it easier.

The ACL will be required for the traffic comming from OUTSIDE to DMZ because OUTSIDE has a lower security level than DMZ.

 

Thank you very much🥰🥰, can you explain to me how access list is related to priority

Not sure if I understood. The ACL is read for firewall from the top to the bottom. The first match will be used to take action.

Is that what you are asking?

Review Cisco Networking for a $25 gift card