Firewall DMZ to Inside Access

wasiimcisco · ‎02-14-2010

I have Cisco ASA firewall in multi context mode.

DMZ (172.16.11.100, 101, 102)

I

Firewall

I

Inside (192.168.80.89)

I am not able to acces my DMZ switches from inside network. These DMZ switches can reach their gateway Firewall 172.16.11.1. they have IP default gateway towards the firewall (172.16.11.1).

Inside access-list is allowing the 192.168.80.89 to any

Serverdmz access-list is allowing 172.16.11.100 Switcht o access any

See the below mention configuration.

static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255

access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0
access-list acl-nonat extended permit ip host 172.16.11.100 any
nat-control
nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 0 access-list acl-nonat
nat (serverdmz) 1 172.16.11.0 255.255.255.0

global (partners) 1 172.16.15.253 netmask 255.255.255.255
global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface

access-list acl-serverdmz line 2 extended permit ip host 172.16.11.100 any

access-list acl-in line 7 extended permit ip host 192.168.80.89 any

access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat

Please let me know what I am missing. I tried all the things but stil it is not woring.

Please help me out.

Kureli Sankar · ‎02-14-2010

You do not need this (assuming inside is of higher security than serverdmz).

access-list acl-nonat extended permit ip host 172.16.11.100 any
nat (serverdmz) 0 access-list acl-nonat

you need

access-list acl-nonat extended permit ip host 192.168.80.89 any
nat (inside) 0 access-list acl-nonat

or

static (inside,serverdmz) 192.168.80.89 192.168.80.89 net 255.255.255.255

Make sure you also have permission in the acl to go from inside to dmz.

ip default gateway is only for traffic sourced to and from the switch. If you need for the switch to do the routing then you need to enable "ip routing" on the swtich.

-KS

wasiimcisco · ‎02-14-2010

IP routing is already enabled. Do you want me to remove the IP default gateway from the server.

I have removed the nonat entry for DMZ and static for 192.168.80.89 is already there.

access-list acl-serverdmz extended permit ip host 172.16.11.100 any

access-list acl-in extended permit ip host 192.168.80.89 any
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.5
access-list acl-in extended permit tcp host 192.168.80.89 host 172.16.15.6
static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255

but still not working.

wasiimcisco · ‎02-14-2010

I am able to access the switch after configuring the default route 0.0.0.0 0.0.0.0 172.16.11.1

thanks for the reply.