Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need to allow access from DMZ to inside on ASA 5505

Posted on 2008-10-16
6
Medium Priority
?
802 Views
Last Modified: 2012-05-05
I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 
config t
hostname ASA
domain-name domain.local
enable password cisco
names
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
no shut
!
interface Vlan2
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
no shut
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
 no shut
!
interface Ethernet0/0
 switchport access vlan 11
no shut
!
interface Ethernet0/1
switchport access vlan 1
no shut
!
interface Ethernet0/2
switchport access vlan 1
no shut
!
interface Ethernet0/3
switchport access vlan 2
no shut
!
interface Ethernet0/4
switchport access vlan 2
no shut
!
interface Ethernet0/5
switchport access vlan 2
no shut
!
interface Ethernet0/6
switchport access vlan 2
no shut
!
interface Ethernet0/7
switchport access vlan 2
 
no shut
!
passwd cisco
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in permit tcp any any eq 25
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-group outside_in in interface outside
route outside 0 0 x.x.x.x
static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd address 192.168.1.100-192.168.1.130 dmz
dhcpd dns 198.88.216.2 198.88.216.3 interface dmz
dhcpd lease 14400 interface dmz
dhcpd domain domain.local interface dmz
dhcpd option 3 ip 192.168.1.1 interface dmz
dhcpd enable dmz
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
write mem

Open in new window

0
Comment
Question by:FIFBA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22733845
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 

Author Comment

by:FIFBA
ID: 22766988
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22772867
Did you get it working?
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 

Author Comment

by:FIFBA
ID: 22772985
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22775534
Not possible with base license.
0
 

Author Comment

by:FIFBA
ID: 22776458
Thanks for the help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question