Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions


Posted on 2010-09-22
Last Modified: 2012-06-22
A 3rd party is helping build our new infrastructure.  We have a couple of web servers in a DMZ off an ASA 5510.  There's also a catalyst they've configured with vlans.  My questions is simple.  After setting up I had NO access to the DMZ from the lan, no rdp, no ftp etc, plus I'm used to putting backup exec on those servers and Symantec AV and managing those on a server in the local lan, which I know requires some ports opened between the DMZ and the Local lan.  They are having trouble getting this to work and keep badgering me about giving the access.  Is this such an unusal request?  If so, how do other people access, transfer files, manage backups/antivirus on DMZ equipment?
Question by:Brian_MB
  • 3
  • 2
LVL 16

Assisted Solution

uescomp earned 150 total points
ID: 33738351
I'm not sure about the 5510 but I know that on the ASA 5505 the default license package does not allow the DMZ to communicate with the LAN in any way.  The DMZ can only access the internet.  This sounds like it may be a licensing issue to me.  If you purchased a Smart Net contract with your firewall I would contact CIsco TAC support and see if they can help you with the problem.

Accepted Solution

joseleonardo earned 350 total points
ID: 33739024
You have to create just a NAT rule to do this:


interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address

access-list dmznat extended permit ip

global (DMZ) 1 interface
nat (inside) 1 access-list dmznat

That's all...



Author Comment

ID: 33743989
Thanks for the info guys.  My outsourced IT folks talked to Cisco yesterday.  Although I still think they'd rather I didn't do the access at all, they've agreed to it.  In our situation where the servers are virtualized and at a colo facility, I need to be able to access, transfer files etc. from the local lan at the colo via a terminal server on that local lan.  If the servers were just in my office, then obviously NO access would be more secure and I could access them physically, but not so easy when they are an hour away.
Anyway, I'm going to close this question for now as it appears there's a bit more to it after they talked to cisco, and it may be something that's fairly unusual in our setup and it may not be the ASA at all but the Catalyst switch.  The DMZ is VLAN'd off the catalyst and according to Cisco, the packets from the local lan to the DMZ are never reaching the ASA, so we're going to do some troubleshooting on the Catalyst routing as soon as we have time.
I'll split the points up though as both of your inputs contain usefull info.
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.


Expert Comment

ID: 33744065
Oks, I have no problem.

Author Closing Comment

ID: 33753322
IT company evaluating Catalyst routing to DMZ

Expert Comment

ID: 33771821
It Will be helpful, but you have the two networks into the ASA... why you want to get traffic back to the Catalyst?

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco RV 130 - No internet on wired connections, wireless clients ok 32 85
Problem to router 7 71
DMVPN Spoke Connectivity Issue 1 34
Port Forwarding 4 29
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question