Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510, communication across DMZs

I have two DMZs

DMZ1

192.168.1.1

security level 10

DMZ2

192.168.2.1

security level 5

If I want the lower level to be able to communicate with the higher level DMZ:

static (DMZ1,DMZ2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-group dmz_allowed in interface DMZ1

access-list dmz_allowed permit icmp host 192.168.2.2 host 192.168.1.25 eq echo

access-list dmz_allowed permit icmp host 192.168.2.2 host 192.168.1.25 eq echo-reply

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq smtp

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq http

access-list dmz_allowed permit tcp host 192.168.2.2 host 192.168.1.25 eq https

If I am only doing keepalive checks from DMZ2 to DMZ1, and traffic is always sourced from DMZ2, does there have to be a NAT, Global statement from DMZ1 to DMZ2?

Or would that be needed only if DMZ1 initiated communication to DMZ2?

2 REPLIES

Re: ASA5510, communication across DMZs

This:

access-group dmz_allowed in interface DMZ1

Should be:

access-group dmz_allowed in interface DMZ2

Yes, you would only need nat/global statements if DMZ1 hosts are initiating traffic into DMZ2.

New Member

Re: ASA5510, communication across DMZs

thanx

102
Views
5
Helpful
2
Replies