Firewall Wizards mailing list archives
Re: ASA 5505 - Allow DMZ to Access Internal network
From: "Arne Svennevik" <arne.svennevik () met no>
Date: Mon, 13 Oct 2008 15:11:01 +0200
First of all, you need to allow ICMP in your access-list for ping to work between DMZ2 and inside. So add this line: access-list acl_DMZ2_to_INSIDE extended permit icmp any any or replace the entire access-list with: access-list acl_DMZ2_to_INSIDE extended permit ip any any The static in your config seems a bit odd, try replacing it with this one: static (inside,DMZ2) 172.24.53.0 172.24.53.0 netmask 255.255.255.0 This basically says that all inside hosts should be reachable by their own IP address in DMZ2, presuming the access list allows the traffic. Regards, Arne Svennevik J From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Manoj Kalpage Sent: Monday, October 06, 2008 4:28 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network Hi All, I am trying configure giving DMZ to access everything in internal network. I have configuration bellow for DMZ to internal but I cannot ping to either of network. Is this allow with ASA ver 8.0? Am I doing something wrong? Any help would be greatly appreciated. Thanks in advance. MK interface Vlan1 description For XXXX Network nameif inside security-level 100 ip address 172.24.53.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group Bitddd ip address pppoe setroute ! interface Vlan3 description for Back Office Network nameif DMZ1 security-level 100 ip address 172.23.53.1 255.255.255.0 ! interface Vlan4 description DMZ2 for XXX Network nameif DMZ2 security-level 75 ip address 192.168.30.1 255.255.255.0 interface Ethernet0/0 description To Outside switchport access vlan 2 ! interface Ethernet0/1 description To XXX Network ! interface Ethernet0/2 description To Inside Back Office Network switchport access vlan 3 ! interface Ethernet0/3 description To XXX Network switchport access vlan 4 access-list acl_DMZ2_to_INSIDE extended permit tcp any any access-list acl_DMZ2_to_INSIDE extended permit udp any any global (outside) 1 interface global (DMZ1) 1 interface global (DMZ2) 1 interface global (DMZ3) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 172.24.53.0 255.255.255.0 nat (DMZ1) 1 172.23.53.0 255.255.255.0 nat (DMZ2) 1 192.168.30.0 255.255.255.0 nat (DMZ3) 1 192.168.100.0 255.255.255.0 static (inside,DMZ2) 192.168.30.0 172.24.53.0 netmask 255.255.255.255 access-group acl_DMZ2_to_INSIDE in interface DMZ2 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply inside icmp permit any echo inside icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo-reply DMZ1 icmp permit any echo DMZ1 icmp permit any echo-reply DMZ2 icmp permit any echo DMZ2 icmp permit any echo-reply DMZ3 icmp permit any echo DMZ3
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ASA 5505 - Allow DMZ to Access Internal network Manoj Kalpage (Oct 07)
- Re: ASA 5505 - Allow DMZ to Access Internal network Arne Svennevik (Oct 14)
- Re: ASA 5505 - Allow DMZ to Access Internal network Fetch, Brandon (Oct 14)