Solved

Need to allow access from DMZ to inside on ASA 5505

Posted on 2008-10-16
6
779 Views
Last Modified: 2012-05-05
I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 

config t

hostname ASA

domain-name domain.local

enable password cisco

names

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0

no shut

!

interface Vlan2

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 192.168.1.1 255.255.255.0

no shut

!

interface Vlan11

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.0 

 no shut

!

interface Ethernet0/0

 switchport access vlan 11

no shut

!

interface Ethernet0/1

switchport access vlan 1

no shut

!

interface Ethernet0/2

switchport access vlan 1

no shut

!

interface Ethernet0/3

switchport access vlan 2

no shut

!

interface Ethernet0/4

switchport access vlan 2

no shut

!

interface Ethernet0/5

switchport access vlan 2

no shut

!

interface Ethernet0/6

switchport access vlan 2

no shut

!

interface Ethernet0/7

switchport access vlan 2
 

no shut

!

passwd cisco

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in permit tcp any any eq 25

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit icmp any any unreachable

access-group outside_in in interface outside

route outside 0 0 x.x.x.x

static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0

pager lines 24

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz) 101 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

dhcpd address 192.168.1.100-192.168.1.130 dmz

dhcpd dns 198.88.216.2 198.88.216.3 interface dmz

dhcpd lease 14400 interface dmz

dhcpd domain domain.local interface dmz

dhcpd option 3 ip 192.168.1.1 interface dmz

dhcpd enable dmz

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

write mem

Open in new window

0
Comment
Question by:FIFBA
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 

Author Comment

by:FIFBA
Comment Utility
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Did you get it working?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:FIFBA
Comment Utility
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Not possible with base license.
0
 

Author Comment

by:FIFBA
Comment Utility
Thanks for the help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now