5505 vlan to vlan access

Unanswered Question

I have a 5505 with the base license. I have a dmz and an internal network. I chose to have the internal network to be blocked from initiating connections to the dmz. I only need dmz machines to initiate connections to the internal network. I can ssh from the dmz to the internal network successfully. But I cannot initiate any other tcp traffic from the dmz to the internal net. After reading various documents, it is my understanding that I should be able to have the dmz (as I've set it up) to initiate any connection to the internal net but not the other way around. I am new with the 5505 - if you need me the post the config, can you please explain how?

thanks in advance

-alan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
alanajjar Wed, 03/19/2008 - 05:41

Hi,

I think the problem is in the access lists, there are mismatch between the ip addresses of interfaces and the access list parameters, like in the dmz_access_in ACL :

access-list dmz_access_in extended permit tcp 172.16.241.0 255.255.255.0 172.31.241.0 255.255.255.0

it should be

access-list dmz_access_in extended permit tcp 172.16.241.0 255.255.255.0 172.31.241.0 255.255.255.0

the case is true for other ACLs. this mismatch means that the traffic that is not permited by the ACLs will be discarded. change this and check.

regards

alanajjar Wed, 03/19/2008 - 05:56

Sorry, the correction shouldbe

it should be

access-list dmz_access_in extended permit tcp 172.16.0.0 255.255.255.0 172.31.0.0 255.255.255.0

regards

Hi,

thanks for looking at the config. I made the change as you suggested and I still had the same problem. Looking further into it I discovered that iptables on the target host was turned on and blocking all non ssh acess. (This is a new server that the hosting company just setup) Turning off the responsible iptables rules on the linux box solved the problem.

thanks again,

-alan

Actions

This Discussion