• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

ASA ACCESS TO DMZ FROM LAN

A 3rd party is helping build our new infrastructure.  We have a couple of web servers in a DMZ off an ASA 5510.  There's also a catalyst they've configured with vlans.  My questions is simple.  After setting up I had NO access to the DMZ from the lan, no rdp, no ftp etc, plus I'm used to putting backup exec on those servers and Symantec AV and managing those on a server in the local lan, which I know requires some ports opened between the DMZ and the Local lan.  They are having trouble getting this to work and keep badgering me about giving the access.  Is this such an unusal request?  If so, how do other people access, transfer files, manage backups/antivirus on DMZ equipment?
0
Brian_MB
Asked:
Brian_MB
  • 3
  • 2
2 Solutions
 
uescompCommented:
I'm not sure about the 5510 but I know that on the ASA 5505 the default license package does not allow the DMZ to communicate with the LAN in any way.  The DMZ can only access the internet.  This sounds like it may be a licensing issue to me.  If you purchased a Smart Net contract with your firewall I would contact CIsco TAC support and see if they can help you with the problem.
0
 
joseleonardoCommented:
You have to create just a NAT rule to do this:

Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.251.2.250 255.255.255.0


access-list dmznat extended permit ip 192.168.254.0 255.255.255.0 10.251.2.0 255.255.255.0

global (DMZ) 1 interface
nat (inside) 1 access-list dmznat


That's all...

Regards,

0
 
Brian_MBAuthor Commented:
Thanks for the info guys.  My outsourced IT folks talked to Cisco yesterday.  Although I still think they'd rather I didn't do the access at all, they've agreed to it.  In our situation where the servers are virtualized and at a colo facility, I need to be able to access, transfer files etc. from the local lan at the colo via a terminal server on that local lan.  If the servers were just in my office, then obviously NO access would be more secure and I could access them physically, but not so easy when they are an hour away.
Anyway, I'm going to close this question for now as it appears there's a bit more to it after they talked to cisco, and it may be something that's fairly unusual in our setup and it may not be the ASA at all but the Catalyst switch.  The DMZ is VLAN'd off the catalyst and according to Cisco, the packets from the local lan to the DMZ are never reaching the ASA, so we're going to do some troubleshooting on the Catalyst routing as soon as we have time.
I'll split the points up though as both of your inputs contain usefull info.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
joseleonardoCommented:
Oks, I have no problem.
0
 
Brian_MBAuthor Commented:
IT company evaluating Catalyst routing to DMZ
0
 
joseleonardoCommented:
It Will be helpful, but you have the two networks into the ASA... why you want to get traffic back to the Catalyst?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now