Solved

Need to allow access from DMZ to inside on ASA 5505

Posted on 2008-10-16
6
784 Views
Last Modified: 2012-05-05
I need to allow access from the DMZ to the inside on an ASA 5505. I need to allow all traffic and don't need to hide the subnet on the inside interface. There are no externally accessible services to the DMZ...I am just segregating a couple networks and need to allow for occasional access between VLANs.
en
 
config t
hostname ASA
domain-name domain.local
enable password cisco
names
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
no shut
!
interface Vlan2
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
no shut
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
 no shut
!
interface Ethernet0/0
 switchport access vlan 11
no shut
!
interface Ethernet0/1
switchport access vlan 1
no shut
!
interface Ethernet0/2
switchport access vlan 1
no shut
!
interface Ethernet0/3
switchport access vlan 2
no shut
!
interface Ethernet0/4
switchport access vlan 2
no shut
!
interface Ethernet0/5
switchport access vlan 2
no shut
!
interface Ethernet0/6
switchport access vlan 2
no shut
!
interface Ethernet0/7
switchport access vlan 2
 
no shut
!
passwd cisco
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in permit tcp any any eq 25
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-group outside_in in interface outside
route outside 0 0 x.x.x.x
static (inside,outside) tcp interface 25 192.168.2.5 25 netmask 255.255.255.255 0 0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd address 192.168.1.100-192.168.1.130 dmz
dhcpd dns 198.88.216.2 198.88.216.3 interface dmz
dhcpd lease 14400 interface dmz
dhcpd domain domain.local interface dmz
dhcpd option 3 ip 192.168.1.1 interface dmz
dhcpd enable dmz
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
write mem

Open in new window

0
Comment
Question by:FIFBA
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22733845
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

Alternate:

interface Vlan2
 security-level 100  <== same as inside

no nat-control


0
 

Author Comment

by:FIFBA
ID: 22766988
I've tried both of these suggestions but no success. Do I need to explicitly allow this traffic with an acl on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22772867
Did you get it working?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:FIFBA
ID: 22772985
Actually, I found out that the unit has a base license and not the security plus license required for this scenario. Do you know if it is possible to initiate connectivity from the inside to the DMZ with a base license or is all traffic between the DMZ and inside interface prevented?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22775534
Not possible with base license.
0
 

Author Comment

by:FIFBA
ID: 22776458
Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question