Just upgraded my ASA 5510 from 8.2(1) to 8.4(4)1. Everything appeared to work just fine with one big exception.
The NAT statements I had previously remained in effect and even appeared to replicate in some instances.
My issue now is I have set up a DMZ interface (security 50) and need a couple servers to connect back to the inside interface (security 100). I set up the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside server. However, all the DMZ servers can still ping and connect to ALL inside servers.
Any easy way to limit this? Am trying to limit the number of servers in the Inside network that the DMZ can access, but it looks like the DMZ has free reign at the present time.
Am happy to post my configs. I would open a TAC case, but this firewall is still so new, the support contract has not yet been processed by Cisco.
Thanks in advance.
First rule "access-list dmz_access_in extended permit ip any any" will permit traffic to outbound and inside, is ovewriting second rule
I will look, when arrive home, but this is a fast answer.
If 192.168.1.0/24 is DNZ and 10.1.1.0/24 is inside
!--- allow only host 192.168.1.40 from DMZ to aceess host 10.1.1.25 inside network
access-list dmz_access_in permit ip host 192.168.1.40 host 10.1.1.25
!--- deny everthing else to inside network
access-list dmz_access_in deny ip 192.168.1.0 255.255.255.255 10.1.1.0 255.255.255.0
!--- allow access from DNZ to the internet
access-list dmz_access_in permit ip 192.168.1.0 255.255.255.255 any