ASA 5505 inside access to dmz

Unanswered Question
Mar 5th, 2009
User Badges:

I have an ASA 5505 setup with 3 vlans (outside 0, dmz 50, and inside 100). I can't figure out how to allow the clinets on the inside vlan access to the dmz. inside has access to internet, dmz has access to internet, and internet has access to dmz. My config is attached (I do have a site to site ipsec vpn that is working)





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sdoremus33 Thu, 03/05/2009 - 18:36
User Badges:
  • Bronze, 100 points or more

One thing I did see was this

access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0 log debugging


shouldnt 192.168.1.0 be 192.168.100.0

jjursch Thu, 03/05/2009 - 19:19
User Badges:

192.168.1.0 is my remote site to site vpn. I think those statements were added for to support the vpn, but I really do not remember.

vikram_anumukonda Thu, 03/05/2009 - 23:27
User Badges:
  • Bronze, 100 points or more

looks like you have an issue with your NAT configs.


what is this "static (dmz,inside) 192.168.99.46 71.x.x.46 netmask 255.255.255.255" used for ? is the x.x same as in

"static (dmz,outside) 71.x.x.46 192.168.99.46 netmask 255.255.255.255"


try configuring nat exemption from DMZ to INSIDE and see if it helps.

sushil@ssspl Thu, 03/05/2009 - 23:34
User Badges:

Try this,

Remove

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


Use this as well,


access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0



Actions

This Discussion