Posted on 2010-09-22
Medium Priority
Last Modified: 2012-06-22
A 3rd party is helping build our new infrastructure.  We have a couple of web servers in a DMZ off an ASA 5510.  There's also a catalyst they've configured with vlans.  My questions is simple.  After setting up I had NO access to the DMZ from the lan, no rdp, no ftp etc, plus I'm used to putting backup exec on those servers and Symantec AV and managing those on a server in the local lan, which I know requires some ports opened between the DMZ and the Local lan.  They are having trouble getting this to work and keep badgering me about giving the access.  Is this such an unusal request?  If so, how do other people access, transfer files, manage backups/antivirus on DMZ equipment?
Question by:Brian_MB
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 16

Assisted Solution

uescomp earned 600 total points
ID: 33738351
I'm not sure about the 5510 but I know that on the ASA 5505 the default license package does not allow the DMZ to communicate with the LAN in any way.  The DMZ can only access the internet.  This sounds like it may be a licensing issue to me.  If you purchased a Smart Net contract with your firewall I would contact CIsco TAC support and see if they can help you with the problem.

Accepted Solution

joseleonardo earned 1400 total points
ID: 33739024
You have to create just a NAT rule to do this:


interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address

access-list dmznat extended permit ip

global (DMZ) 1 interface
nat (inside) 1 access-list dmznat

That's all...



Author Comment

ID: 33743989
Thanks for the info guys.  My outsourced IT folks talked to Cisco yesterday.  Although I still think they'd rather I didn't do the access at all, they've agreed to it.  In our situation where the servers are virtualized and at a colo facility, I need to be able to access, transfer files etc. from the local lan at the colo via a terminal server on that local lan.  If the servers were just in my office, then obviously NO access would be more secure and I could access them physically, but not so easy when they are an hour away.
Anyway, I'm going to close this question for now as it appears there's a bit more to it after they talked to cisco, and it may be something that's fairly unusual in our setup and it may not be the ASA at all but the Catalyst switch.  The DMZ is VLAN'd off the catalyst and according to Cisco, the packets from the local lan to the DMZ are never reaching the ASA, so we're going to do some troubleshooting on the Catalyst routing as soon as we have time.
I'll split the points up though as both of your inputs contain usefull info.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 33744065
Oks, I have no problem.

Author Closing Comment

ID: 33753322
IT company evaluating Catalyst routing to DMZ

Expert Comment

ID: 33771821
It Will be helpful, but you have the two networks into the ASA... why you want to get traffic back to the Catalyst?

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question