ASA5510, communication across DMZs

Unanswered Question
Feb 7th, 2009

I have two DMZs

DMZ1

192.168.1.1

security level 10

DMZ2

192.168.2.1

security level 5

If I want the lower level to be able to communicate with the higher level DMZ:

static (DMZ1,DMZ2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-group dmz_allowed in interface DMZ1

access-list dmz_allowed permit icmp host 192.168.2.2 host 192.168.1.25 eq echo

access-list dmz_allowed permit icmp host 192.168.2.2 host 192.168.1.25 eq echo-reply

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq smtp

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq http

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq https

If I am only doing keepalive checks from DMZ2 to DMZ1, and traffic is always sourced from DMZ2, does there have to be a NAT, Global statement from DMZ1 to DMZ2?

Or would that be needed only if DMZ1 initiated communication to DMZ2?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
eddie.mitchell@... Sat, 02/07/2009 - 11:18

This:

access-group dmz_allowed in interface DMZ1

Should be:

access-group dmz_allowed in interface DMZ2

Yes, you would only need nat/global statements if DMZ1 hosts are initiating traffic into DMZ2.

Actions

This Discussion