Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ASA 5505 - Allow DMZ to Access Internal network

From: "Arne Svennevik" <arne.svennevik () met no>
Date: Mon, 13 Oct 2008 15:11:01 +0200
First of all, you need to allow ICMP in your access-list for ping to work
between DMZ2 and inside. So add this line:

access-list acl_DMZ2_to_INSIDE extended permit icmp any any
or replace the entire access-list with:

access-list acl_DMZ2_to_INSIDE extended permit ip any any



The static in your config seems a bit odd, try replacing it with this one:

                static (inside,DMZ2) 172.24.53.0 172.24.53.0 netmask
255.255.255.0

This basically says that all inside hosts should be reachable by their own
IP address in DMZ2, presuming the access list allows the traffic.

 

 

Regards,

Arne Svennevik J

 

 

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Manoj
Kalpage
Sent: Monday, October 06, 2008 4:28 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network

 

Hi All,
I am trying configure giving DMZ to access everything in internal network. I
have configuration bellow for DMZ to internal but I cannot ping to either of
network. Is this allow with ASA ver 8.0? Am I doing something wrong?
Any help would be greatly appreciated.

Thanks in advance.

MK

interface Vlan1
 description For XXXX Network
 nameif inside
 security-level 100
 ip address 172.24.53.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group Bitddd
 ip address pppoe setroute
!
interface Vlan3
 description for Back Office Network
 nameif DMZ1
 security-level 100
 ip address 172.23.53.1 255.255.255.0
!
interface Vlan4
 description DMZ2 for XXX Network
 nameif DMZ2
 security-level 75
 ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0
 description To Outside
 switchport access vlan 2
!
interface Ethernet0/1
 description To XXX Network
!
interface Ethernet0/2
 description To Inside Back Office Network
 switchport access vlan 3
!
interface Ethernet0/3
 description To XXX Network
 switchport access vlan 4

access-list acl_DMZ2_to_INSIDE extended permit tcp any any
access-list acl_DMZ2_to_INSIDE extended permit udp any any

global (outside) 1 interface
global (DMZ1) 1 interface
global (DMZ2) 1 interface
global (DMZ3) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.24.53.0 255.255.255.0
nat (DMZ1) 1 172.23.53.0 255.255.255.0
nat (DMZ2) 1 192.168.30.0 255.255.255.0
nat (DMZ3) 1 192.168.100.0 255.255.255.0
static (inside,DMZ2) 192.168.30.0 172.24.53.0 netmask 255.255.255.255

access-group acl_DMZ2_to_INSIDE in interface DMZ2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply DMZ1
icmp permit any echo DMZ1
icmp permit any echo-reply DMZ2
icmp permit any echo DMZ2
icmp permit any echo-reply DMZ3
icmp permit any echo DMZ3


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: