Re: DMZ to INSIDE Communication

["Ian Mahuron" <mahuron () gmail com>]

Sorry for the late reply.

Chris, you've confused the idea of a real IP vs a NAT IP.  The real IP
(Cisco calls this the local IP) is the IP you've configured on the
host.  That NAT would be the alternative IP you're exposing on other
interfaces.  I don't mean to nitpick but I believe this will help you
to  better communicate should you need to use this list in the future
(or should someone other than you have to work with the wonky names in
your policy!).

The missing static sticks out like a sore thumb.  This seems to catch
every new PIX/ASA admin so don't feel bad.  Hopefully you found the
problem by reading the manual.  It's very important to understand how
translation works on a PIX/ASA.  Every connection requires an xlate.
This means that each ACE in an interface ACL will need a matching
static or nat.

There is rarely ever a good reason to perform translation between your
DMZ and inside networks.  Your firewall is perfectly capable of
routing between the networks.  You should require, at most, one static
for them to communicate.  This would read something along the lines
of:

static (inside, DMZ) <inside netid> <inside netid> netmask <inside netmask>

This is often referred to as an identity NAT.

Granular identity NATs should be avoided.  Some people appear to use
them as an added security measure but this is poor practice.

If you haven't already, you should apply an ACL to your DMZ and inside
interfaces.

Finally, Anthony is absolutely correct.  AFAIK, there is _no way_ to
have a functioning dmz _and_ inside (assuming you want them to be able
to chat) with a base license on a 5505.  I spent a good hour trying to
work around it.  It's too bad as it would make for a very sweet budget
firewall.  The license that removes this limitation is considerably
more money (2x).

Ian

On 10/15/07, Anthony <ez4me2c3d () gmail com> wrote:
> So you weren't running into the issue of the base license not allowing
> DMZ initiated traffic to the inside network?
>
> "With the Base platform, communication between the DMZ VLAN and the
> Inside VLAN is restricted: the Inside VLAN is permitted to send traffic
> to the DMZ VLAN, but the DMZ VLAN is not permitted to send traffic to
> the Inside VLAN."
>
> http://cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html#wp1101628
>
> Anthony
>
> chris mr wrote:
> > Thanks for your help...
> >
> > I had to add another static into the ASA and ACL on DMZ in.
> >
> > mail.domain.com = 12.x.x.x
> > EXCHANGE1 = natted ip of Exchange on inside
> >
> > static (inside,DMZ) tcp 12.x.x.x smtp EXCHANGE1 smtp netmask 255.255.255.255
> >
> >
> >       ____________________________________________________________________________________
> > Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
> > http://autos.yahoo.com/index.html
> >
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards