Firewall DMZ to Inside Access

Unanswered Question
Feb 14th, 2010
User Badges:

I have Cisco ASA firewall in multi context mode.



                                        DMZ (172.16.11.100, 101, 102)

                                            I

                                            I

                                            I

                                            Firewall

                                             I

                                             I

                                             I

                                             I

                                             Inside (192.168.80.89)



I am not able to acces my DMZ switches from inside network. These DMZ switches can reach their gateway Firewall 172.16.11.1. they have IP default gateway towards the firewall (172.16.11.1).


Inside access-list is allowing the 192.168.80.89 to any

Serverdmz access-list is allowing 172.16.11.100 Switcht o access any


See the below mention configuration.


static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255


access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0
access-list acl-nonat extended permit ip host 172.16.11.100 any
nat-control
nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 0 access-list acl-nonat
nat (serverdmz) 1 172.16.11.0 255.255.255.0



global (partners) 1 172.16.15.253 netmask 255.255.255.255
global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface



access-list acl-serverdmz line 2 extended permit ip host 172.16.11.100 any

access-list acl-in line 7 extended permit ip host 192.168.80.89 any


access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat



Please let me know what I am missing. I tried all the things but stil it is not woring.



Please help me out.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Sun, 02/14/2010 - 06:34
User Badges:
  • Cisco Employee,

You do not need this (assuming inside is of higher security than serverdmz).

access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat


you need


access-list acl-nonat extended permit ip host 192.168.80.89 any
nat (inside) 0 access-list acl-nonat


or


static (inside,serverdmz) 192.168.80.89 192.168.80.89 net 255.255.255.255


Make sure you also have permission in the acl to go from inside to dmz.


ip default gateway is only for traffic sourced to and from the switch. If you need for the switch to do the routing then you need to enable "ip routing" on the swtich.


-KS

wasiimcisco Sun, 02/14/2010 - 06:57
User Badges:

IP routing is already enabled. Do you want me to remove the IP default gateway from the server.


I have removed the nonat entry for DMZ and static for 192.168.80.89 is already there.



access-list acl-serverdmz extended permit ip host 172.16.11.100 any


access-list acl-in extended permit ip host 192.168.80.89 any
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.5
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.6
static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255


but still not working.

wasiimcisco Sun, 02/14/2010 - 07:14
User Badges:

I am able to access the switch after configuring the default route 0.0.0.0 0.0.0.0 172.16.11.1


thanks for the reply.

Actions

This Discussion