Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 Config for DMZ to INSIDE Access

Hi,

I'm a new user for ASA, anyway by reading cisco document I have done some basic configuration. At this moment my requirement as follows:-

1. Access to DMZ server( 191.20.20.0/24) ( ping & Other service like http etc ) from Inside User VLAN ( 172.16.34.0/24)

2. Access to Inside user VLAN ( 172.16.34.0/24) from DMZ Server ( 191.20.20.0/24)

I have done the config for requirement no. 1, but unsable to make the requirement number 2

Please help me by guding step by step config for accessing DMZ to inside user VLAN.

My Interface Details:-

# Inside (security 100 ) 10.10.10.1/30 on ASA Interface, and connecting Core switch port with configuring IP as 10.10.10.2/30

# DMZ ( security 80 ) 192.20.20.1/24 on ASA interface, and connecting a L2 ( 2960 Switch without any IP ) switch. All the DMZ Server on 192.20.20.0/24 segment by configuring gateway as 192.20.20.1

NB:- Outside Interace is not yet connected as ISP didn't provide the Internet link which will be coming soon, but at this moment I don't required the Public network as nobody will start accessing those DMZ server, which will be later requirement.

Regards

Sujit

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ASA 5520 Config for DMZ to INSIDE Access

For requirement number 2, you would need to have the following configured:

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

As well as access-list on the DMZ to allow access towards inside:

access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0

access-group dmz-acl in interface DMZ

Then a "clear xlate" after the above configuration.

Hope that helps.

8 REPLIES
Super Bronze

Re: ASA 5520 Config for DMZ to INSIDE Access

For requirement number 2, you would need to have the following configured:

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

As well as access-list on the DMZ to allow access towards inside:

access-list dmz-acl permit ip 191.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0

access-group dmz-acl in interface DMZ

Then a "clear xlate" after the above configuration.

Hope that helps.

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Hi Jennifer,

Please find the attahed config for your ready ref......I have done as per your advise, but still no progress.

Sujit

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Hi Jennifer,

I'm waiting for your reply.

Sujit

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Hi Sujit,

Please attach the output of the following command

packet-tracer input dmz icmp 192.20.20.2 8 0 172.16.34.2 detailed

Thanks,

Namit

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Hi Jennifer,

what is the aim of below statment ?

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

regards

Hubert

Cisco Employee

Re: ASA 5520 Config for DMZ to INSIDE Access

when you go from a higher to lower security level in a firewall you will need natting with nat control enabled, this is a security feature

so if you do not want to nat traffic when it is going from inside to dmz you will use that command, what that command is doing is it is doing a one to one nat which means 172.16.34.0 from inside will apear as 172.16.34.0 on dmz

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Thanks for explanation

regards

Hubert

New Member

Re: ASA 5520 Config for DMZ to INSIDE Access

Hi Jennifer,

Thanks a lot.....it is working perfectly fine as configured suggested by you.

Sujit

15722
Views
4
Helpful
8
Replies