I have following config on FWSM and it works fine for Internet bound access.
object-group network LAN
network-object 10.1.1.0 255.255.255.0
object-group network DMZ
network-object 192.168.1.0 255.255.255.0
nat (LAN) 1 0.0.0.0 0.0.0.0
global (outside) 1 <Public IP>
access-list CORP_ACL line 7 extended permit tcp object-group LAN any eq www <-- Tied to LAN interface inbound
I am getting following error while trying to access DMZ from LAN:
010-04-22T16:19:14+01:00 FWSM_ABC %FWSM-6-106015: Deny TCP (no connection) from 192.168.1.10/80 to 10.1.1.10/3735 flags SYN ACK on interface DMZ
I wonder it is a NAT issue and following config will fix it?
access-list CORP_ACL line 6 extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS
access-list NOT_O extended permit tcp object-group LAN object-group DMZ object-group LAN2DMZ_PORTS
nat (inside) 0 access-list NAT_O
Thanks in advance.