02-14-2010 06:23 AM - edited 03-11-2019 10:09 AM
I have Cisco ASA firewall in multi context mode.
DMZ (172.16.11.100, 101, 102)
I
I
I
Firewall
I
I
I
I
Inside (192.168.80.89)
I am not able to acces my DMZ switches from inside network. These DMZ switches can reach their gateway Firewall 172.16.11.1. they have IP default gateway towards the firewall (172.16.11.1).
Inside access-list is allowing the 192.168.80.89 to any
Serverdmz access-list is allowing 172.16.11.100 Switcht o access any
See the below mention configuration.
static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255
access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0
access-list acl-nonat extended permit ip host 172.16.11.100 any
nat-control
nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 0 access-list acl-nonat
nat (serverdmz) 1 172.16.11.0 255.255.255.0
global (partners) 1 172.16.15.253 netmask 255.255.255.255
global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface
access-list acl-serverdmz line 2 extended permit ip host 172.16.11.100 any
access-list acl-in line 7 extended permit ip host 192.168.80.89 any
access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat
Please let me know what I am missing. I tried all the things but stil it is not woring.
Please help me out.
02-14-2010 06:34 AM
You do not need this (assuming inside is of higher security than serverdmz).
access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat
you need
access-list acl-nonat extended permit ip host 192.168.80.89 any
nat (inside) 0 access-list acl-nonat
or
static (inside,serverdmz) 192.168.80.89 192.168.80.89 net 255.255.255.255
Make sure you also have permission in the acl to go from inside to dmz.
ip default gateway is only for traffic sourced to and from the switch. If you need for the switch to do the routing then you need to enable "ip routing" on the swtich.
-KS
02-14-2010 06:57 AM
IP routing is already enabled. Do you want me to remove the IP default gateway from the server.
I have removed the nonat entry for DMZ and static for 192.168.80.89 is already there.
access-list acl-serverdmz extended permit ip host 172.16.11.100 any
access-list acl-in extended permit ip host 192.168.80.89 any
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.5
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.6
static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255
but still not working.
02-14-2010 07:14 AM
I am able to access the switch after configuring the default route 0.0.0.0 0.0.0.0 172.16.11.1
thanks for the reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: