Solved

Asa 5505 DMZ web server access to Lan web server

Posted on 2015-01-22
2
52 Views
Last Modified: 2015-09-09
Hi, I have followed this exsample (pasted below), and now my hosts on the lan can speak to a server on my DMZ, and the DMZ can speak with the internet. All good.

But I need my dmz server so be able to reach an internal server on the lan 10.25.100.18 (port 80). What are I missing? Some kind of access-list I guest? The ASA has the "dmz license" so it's not that.


The short config with my config.

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.25.100.0 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.100.0 255.255.255.0


access-list dmznat extended permit ip 10.25.100.0 255.255.255.0 192.168.100.0 255.255.255.0

global (DMZ) 1 interface
nat (inside) 1 access-list dmznat


Tia!

LHC
0
Comment
Question by:melfarit
  • 2
2 Comments
 
LVL 5

Expert Comment

by:Feroz Ahmed
Comment Utility
Hi,

You will have define Policy on ASA in order to reach host on Lan as below :

ASA#(config-t)
ASA(config-t)#policy-map group policy
ASA(config-t)#Classinspection_default
ASA(config-t)#inspect ICMP

Once the above is configured you can will reach host from DMZ.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
Comment Utility
Hi,

You can define access-list as below as you want to communicate from DMZ to Inside network ,the below access-list configuration will work out.

ASA#access-list 101 permit DMZ in or inside
ASA#access-group 101 in interface DMZ

The above configuration will work just try and update me.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now