• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 897
  • Last Modified:

Cisco ASA5505 DMZ allow inside network to access DMZ interface.

I have a CIsco ASA5505 and I have a DMZ, INSIDE, & OUTSIDE interface. I am trying to allow my inside network to access my DMZ. How would I go about doing this? Here is my current config:
Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 6ZoFBEConbp3Z7DJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 71.5.x.x XO-Gateway
name 10.23.141.93 SEO1-IN
name 71.5.x.x SEO1-OUT
name 10.23.141.62 SEO2-IN
name 71.5.x.x SEO2-OUT
name 10.23.141.94 SEO3-IN
name 71.5.x.x SEO3-OUT
name 10.23.141.88 SEO4-IN
name 71.5.x.x SEO4-OUT
name 10.23.141.70 SEO5-IN
name 71.5.x.x SEO5-OUT
name 10.23.141.51 SEO6-IN
name 71.5.x.x SEO6-OUT
name 10.23.136.12 PTMS5-DMZ
name 71.5.x.x PTMS5-OUT
name 10.23.136.10 PTMS6-DMZ
name 71.5.x.x PTMS6-OUT
name 10.23.136.16 CarJockey-DMZ
name 71.5.x.x CarJockey-OUT
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.23.140.51 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.5.x.x 255.255.255.224
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 10.23.136.51 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.23.140.5
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
object-group service DM_INLINE_UDP_1 udp
 port-object eq netbios-dgm
 port-object eq netbios-ns
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit udp any any eq tftp
access-list outside_access_in extended permit tcp any any eq irc
access-list outside_access_in extended permit tcp any any eq h323
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq netbios-ssn
access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool IP-Remote-VPN 10.23.140.201-10.23.140.204 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 10.23.136.0 255.255.255.0
static (inside,outside) SEO1-OUT SEO1-IN netmask 255.255.255.255
static (inside,outside) SEO2-OUT SEO2-IN netmask 255.255.255.255
static (inside,outside) SEO3-OUT SEO3-IN netmask 255.255.255.255
static (inside,outside) SEO4-OUT SEO4-IN netmask 255.255.255.255
static (inside,outside) SEO5-OUT SEO5-IN netmask 255.255.255.255
static (inside,outside) SEO6-OUT SEO6-IN netmask 255.255.255.255
static (DMZ,outside) PTMS5-OUT PTMS5-DMZ netmask 255.255.255.255
static (DMZ,outside) PTMS6-OUT PTMS6-DMZ netmask 255.255.255.255
static (DMZ,outside) CarJockey-OUT CarJockey-DMZ netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XO-Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PTMS-AD protocol ldap
aaa-server PTMS-AD (inside) host 10.23.140.5
 timeout 5
 server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DMZ_map interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable DMZ
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
 enable outside
 enable DMZ
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy PTMS-RemoteVPN internal
group-policy PTMS-RemoteVPN attributes
 wins-server none
 dns-server value 10.23.140.51
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 default-domain none
username ptms-vpn1 password CdC4g4xwGZqPuXm3 encrypted privilege 15
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
 address-pool IP-Remote-VPN
 authentication-server-group PTMS-AD
 default-group-policy PTMS-RemoteVPN
tunnel-group SSL-VPN webvpn-attributes
 group-alias ActiveDirectory enable
tunnel-group LOCAL-VPN type remote-access
tunnel-group LOCAL-VPN general-attributes
 address-pool IP-Remote-VPN
 default-group-policy PTMS-RemoteVPN
tunnel-group LOCAL-VPN webvpn-attributes
 group-alias LOCAL enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5cbf6dbde6604ace27a8fc8eb8b57619
: end
0
adanser83
Asked:
adanser83
2 Solutions
 
jmeggersCommented:
As long as traffic knows where the other subnet is (i.e., routing is working), and traffic is originating on the inside, it should work the way you have it.  Is it not, and if not, can you give us more detail about what you're seeing?

The only thing I see that  may be getting in the way is you have a NAT configuration on the DMZ interface, but you don't need to NAT to the inside, so you may want to put in a no-nat ACL that exempts traffic going to the inside from being NATed.

You don't have an ACL on your inside interface, so all traffic going to the DMZ side will be allowed by default.  Return (stateful) traffic will be allowed, but if you're testing with ICMP make sure you either expressly permit ICMP in the DMZ interface, or add ICMP to the application inspections.  If traffic originating in the DMZ needs access to the inside, you will need a DMZ ACL to expressly permit that.
0
 
adanser83Author Commented:
Can you show me some examples. I'm sorry I think i'm a little confused.
0
 
max_the_kingCommented:
hi,
try the following:

access-list nonat 10.23.140.0 255.255.252.0 10.23.136.51 255.255.255.0
nat (inside) 0 access-list nonat

I believe it should do the trick
let me know if it works out
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
adanser83Author Commented:
When I try entering that command I get an error: ERROR: % Invalid input detected at '^' marker.
0
 
adanser83Author Commented:
Result of the command: "access-list nonat 10.23.140.0 255.255.252.0 10.23.136.51 255.255.255.0"

access-list nonat 10.23.140.0 255.255.252.0 10.23.136.51 255.255.255.0
                             ^
ERROR: % Invalid input detected at '^' marker.
0
 
max_the_kingCommented:
you have to enter the configuration mode:

conf t


after entering the commands do not forget to save to flash:
write mem

0
 
royitCommented:
Do you have Nat-control enabled, If so all traffic needs NAT between zones.

You can check using sh run nat-control. If configured, define transparent NAT

Static (Inside,DMZ) 10.23.140.0 10.23.140.0 netmask 255.255.255.0

If no NAT-CONTROL, traffic flows from higher security to lower security.

0
 
max_the_kingCommented:
sorry adanser, I missed a part, the correct commands are:

access-list nonat permit ip 10.23.140.0 255.255.252.0 10.23.136.51 255.255.255.0
nat (inside) 0 access-list nonat

you only should need this
let me know

0
 
adanser83Author Commented:
That didn't seem to work either. I got an error message: ERROR: IP address,mask <10.23.136.51,255.255.255.0> doesn't pair

I believe it should be 10.23.136.0,255.255.255.0  is this correct?
0
 
max_the_kingCommented:
yes, correct

10.23.136.0,255.255.255.0
0
 
adanser83Author Commented:
That worked!
Thank you again for your time and effort in assisting me with this problem. I've learned a lot.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now