Need to allow access from DMZ to inside on ASA 5505

I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 
config t
hostname ASA
domain-name domain.local
enable password cisco
names
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
no shut
!
interface Vlan2
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
no shut
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
 no shut
!
interface Ethernet0/0
 switchport access vlan 11
no shut
!
interface Ethernet0/1
switchport access vlan 1
no shut
!
interface Ethernet0/2
switchport access vlan 1
no shut
!
interface Ethernet0/3
switchport access vlan 2
no shut
!
interface Ethernet0/4
switchport access vlan 2
no shut
!
interface Ethernet0/5
switchport access vlan 2
no shut
!
interface Ethernet0/6
switchport access vlan 2
no shut
!
interface Ethernet0/7
switchport access vlan 2
 
no shut
!
passwd cisco
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in permit tcp any any eq 25
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-group outside_in in interface outside
route outside 0 0 x.x.x.x
static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd address 192.168.1.100-192.168.1.130 dmz
dhcpd dns 198.88.216.2 198.88.216.3 interface dmz
dhcpd lease 14400 interface dmz
dhcpd domain domain.local interface dmz
dhcpd option 3 ip 192.168.1.1 interface dmz
dhcpd enable dmz
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
write mem

Open in new window

FIFBAAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 
FIFBAAuthor Commented:
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
lrmooreCommented:
Did you get it working?
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
FIFBAAuthor Commented:
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
lrmooreCommented:
Not possible with base license.
0
 
FIFBAAuthor Commented:
Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.