Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need to allow access from DMZ to inside on ASA 5505

Posted on 2008-10-16
6
Medium Priority
?
804 Views
Last Modified: 2012-05-05
I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 
config t
hostname ASA
domain-name domain.local
enable password cisco
names
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
no shut
!
interface Vlan2
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
no shut
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
 no shut
!
interface Ethernet0/0
 switchport access vlan 11
no shut
!
interface Ethernet0/1
switchport access vlan 1
no shut
!
interface Ethernet0/2
switchport access vlan 1
no shut
!
interface Ethernet0/3
switchport access vlan 2
no shut
!
interface Ethernet0/4
switchport access vlan 2
no shut
!
interface Ethernet0/5
switchport access vlan 2
no shut
!
interface Ethernet0/6
switchport access vlan 2
no shut
!
interface Ethernet0/7
switchport access vlan 2
 
no shut
!
passwd cisco
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in permit tcp any any eq 25
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-group outside_in in interface outside
route outside 0 0 x.x.x.x
static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd address 192.168.1.100-192.168.1.130 dmz
dhcpd dns 198.88.216.2 198.88.216.3 interface dmz
dhcpd lease 14400 interface dmz
dhcpd domain domain.local interface dmz
dhcpd option 3 ip 192.168.1.1 interface dmz
dhcpd enable dmz
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
write mem

Open in new window

0
Comment
Question by:FIFBA
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22733845
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 

Author Comment

by:FIFBA
ID: 22766988
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22772867
Did you get it working?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:FIFBA
ID: 22772985
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22775534
Not possible with base license.
0
 

Author Comment

by:FIFBA
ID: 22776458
Thanks for the help.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question