Solved

Need to allow access from DMZ to inside on ASA 5505

Posted on 2008-10-16
6
780 Views
Last Modified: 2012-05-05
I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 

config t

hostname ASA

domain-name domain.local

enable password cisco

names

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0

no shut

!

interface Vlan2

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 192.168.1.1 255.255.255.0

no shut

!

interface Vlan11

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.0 

 no shut

!

interface Ethernet0/0

 switchport access vlan 11

no shut

!

interface Ethernet0/1

switchport access vlan 1

no shut

!

interface Ethernet0/2

switchport access vlan 1

no shut

!

interface Ethernet0/3

switchport access vlan 2

no shut

!

interface Ethernet0/4

switchport access vlan 2

no shut

!

interface Ethernet0/5

switchport access vlan 2

no shut

!

interface Ethernet0/6

switchport access vlan 2

no shut

!

interface Ethernet0/7

switchport access vlan 2
 

no shut

!

passwd cisco

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in permit tcp any any eq 25

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit icmp any any unreachable

access-group outside_in in interface outside

route outside 0 0 x.x.x.x

static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0

pager lines 24

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz) 101 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

dhcpd address 192.168.1.100-192.168.1.130 dmz

dhcpd dns 198.88.216.2 198.88.216.3 interface dmz

dhcpd lease 14400 interface dmz

dhcpd domain domain.local interface dmz

dhcpd option 3 ip 192.168.1.1 interface dmz

dhcpd enable dmz

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

write mem

Open in new window

0
Comment
Question by:FIFBA
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22733845
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 

Author Comment

by:FIFBA
ID: 22766988
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22772867
Did you get it working?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:FIFBA
ID: 22772985
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22775534
Not possible with base license.
0
 

Author Comment

by:FIFBA
ID: 22776458
Thanks for the help.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now