ASA 5505 - Allow Access Internal network to DMZ

Unanswered Question
Mar 13th, 2009

Hi Experts,

I have a HTTP Server in DMZ which i need to give access to the Inside Network(LAN).

I have configured the ASA 5510 as follows.

Problem is i could access http and ping http server from LAN.

Configuration:

int eth0/0

Description LAN Interface

nameif LAN

Security-Level 99

ip address 192.168.2.1 255.255.255.0

int eth0/1

Description DMZ Interface

nameif DMZ

Security-Level 50

ip address 10.10.10.1 255.255.255.0

static (DMZ,LAN) 20.20.20.20 10.10.10.2 netmask 255.255.255.255 (Original IP is 10.10.10.2 - mapped with 20.20.20.20).

access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq echo

access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq echo-reply

access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq 80 permit ip any any

access-group INSIDE TO DMZ in interface LAN

router rip

ver 2

network 10.10.10.0

network 192,168.2.0

default-information originate

please help me what i have done wrong in the confoiguration.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
RicheeJJJ_2 Sat, 03/14/2009 - 12:03

I am totally confused.

1. Is this on a 5505 or or a 5510? If it's a 5505 you can't do it. You're only allowed 2 vlans on the 5505. The 3rd is only allowed to talk to 1 other vlan.

2. You say that you want a device in your DMZ to have full access to devices in your inside network. The purpose of putting something in your DMZ is so that it can't talk to anything on the inside. You might have a design flaw there.

3. You wrote "Problem is i could access http and ping http server from LAN." which confuses me too. You don't want that to happen?

Well I am assuming that you are not able to access your web server when you enter 20.20.20.20 on your machine from inside network (LAN).

Here are a few points to consider then:

1. Following access list is not correct:

access-list INSIDE TO DMZ extended permit icmp host 192.168.2.2 host 20.20.20.20 eq 80 permit ip any any

I would put following instead of above one:

access-list INSIDE TO DMZ extended permit tcp host 192.168.2.2 host 20.20.20.20 eq 80

2. ICMP is not stateful. So you need to allow icmp echo and echo-reply from DMZ to LAN as well or use "fixup protocol icmp" (i didn't have good experience using fixup for icmp).

3. I hope gateway on 192.168.2.2 is 192.168.2.1. If not, make a following static route in your system

route add 20.20.20.20 mask 255.255.255.255 192.168.2.1

It should work then. Cheers.

Actions

This Discussion