Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA ACCESS TO DMZ FROM LAN

Posted on 2010-09-22
6
Medium Priority
?
381 Views
Last Modified: 2012-06-22
A 3rd party is helping build our new infrastructure.  We have a couple of web servers in a DMZ off an ASA 5510.  There's also a catalyst they've configured with vlans.  My questions is simple.  After setting up I had NO access to the DMZ from the lan, no rdp, no ftp etc, plus I'm used to putting backup exec on those servers and Symantec AV and managing those on a server in the local lan, which I know requires some ports opened between the DMZ and the Local lan.  They are having trouble getting this to work and keep badgering me about giving the access.  Is this such an unusal request?  If so, how do other people access, transfer files, manage backups/antivirus on DMZ equipment?
0
Comment
Question by:Brian_MB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 600 total points
ID: 33738351
I'm not sure about the 5510 but I know that on the ASA 5505 the default license package does not allow the DMZ to communicate with the LAN in any way.  The DMZ can only access the internet.  This sounds like it may be a licensing issue to me.  If you purchased a Smart Net contract with your firewall I would contact CIsco TAC support and see if they can help you with the problem.
0
 
LVL 2

Accepted Solution

by:
joseleonardo earned 1400 total points
ID: 33739024
You have to create just a NAT rule to do this:

Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.251.2.250 255.255.255.0


access-list dmznat extended permit ip 192.168.254.0 255.255.255.0 10.251.2.0 255.255.255.0

global (DMZ) 1 interface
nat (inside) 1 access-list dmznat


That's all...

Regards,

0
 

Author Comment

by:Brian_MB
ID: 33743989
Thanks for the info guys.  My outsourced IT folks talked to Cisco yesterday.  Although I still think they'd rather I didn't do the access at all, they've agreed to it.  In our situation where the servers are virtualized and at a colo facility, I need to be able to access, transfer files etc. from the local lan at the colo via a terminal server on that local lan.  If the servers were just in my office, then obviously NO access would be more secure and I could access them physically, but not so easy when they are an hour away.
Anyway, I'm going to close this question for now as it appears there's a bit more to it after they talked to cisco, and it may be something that's fairly unusual in our setup and it may not be the ASA at all but the Catalyst switch.  The DMZ is VLAN'd off the catalyst and according to Cisco, the packets from the local lan to the DMZ are never reaching the ASA, so we're going to do some troubleshooting on the Catalyst routing as soon as we have time.
I'll split the points up though as both of your inputs contain usefull info.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:joseleonardo
ID: 33744065
Oks, I have no problem.
0
 

Author Closing Comment

by:Brian_MB
ID: 33753322
IT company evaluating Catalyst routing to DMZ
0
 
LVL 2

Expert Comment

by:joseleonardo
ID: 33771821
It Will be helpful, but you have the two networks into the ASA... why you want to get traffic back to the Catalyst?
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question