melfarit
asked on
Asa 5505 DMZ web server access to Lan web server
Hi, I have followed this exsample (pasted below), and now my hosts on the lan can speak to a server on my DMZ, and the DMZ can speak with the internet. All good.
But I need my dmz server so be able to reach an internal server on the lan 10.25.100.18 (port 80). What are I missing? Some kind of access-list I guest? The ASA has the "dmz license" so it's not that.
The short config with my config.
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.25.100.0 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.0 255.255.255.0
access-list dmznat extended permit ip 10.25.100.0 255.255.255.0 192.168.100.0 255.255.255.0
global (DMZ) 1 interface
nat (inside) 1 access-list dmznat
Tia!
LHC
But I need my dmz server so be able to reach an internal server on the lan 10.25.100.18 (port 80). What are I missing? Some kind of access-list I guest? The ASA has the "dmz license" so it's not that.
The short config with my config.
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.25.100.0 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.0 255.255.255.0
access-list dmznat extended permit ip 10.25.100.0 255.255.255.0 192.168.100.0 255.255.255.0
global (DMZ) 1 interface
nat (inside) 1 access-list dmznat
Tia!
LHC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You will have define Policy on ASA in order to reach host on Lan as below :
ASA#(config-t)
ASA(config-t)#policy-map group policy
ASA(config-t)#Classinspect
ASA(config-t)#inspect ICMP
Once the above is configured you can will reach host from DMZ.