Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access from DMZ in one location to Inside at another location - between Cisco ASA devices

Hello,

I want to enable access between a machine in DMZ at one location and another machine in Inside (LAN) at another location.

I wrote the below access rule in one of the Cisco ASA. But I am not able to acheive the needed and even ping is not working.

access-list dmz_access_in extended permit tcp host 10.8.20.10 host 10.8.22.13 eq 9876

access-list dmz_access_in extended permit udp host 10.8.20.10 host 10.8.22.13 eq 9876

10.8.20.10 is the machine in DMZ

10.8.22.13 is the machine in Inside (LAN)

Awaiting help on this.

5 REPLIES
Green

Access from DMZ in one location to Inside at another location -

Try adding....

static (inside,dmz) 10.8.22.0 10.8.22.0 netmask 255.255.255.0

New Member

Access from DMZ in one location to Inside at another location -

Both the locations are connected through site to site vpn. By adding this static route, will it disturb the access between other network segments? As I feel that by adding this route only the inside and dmz would be communicating. Please explain.

Green

Access from DMZ in one location to Inside at another location -

I guess I'm confused as to where these 2 hosts are.

Are you saying that 10.8.20.10 is in the dmz of ASA 1 and 10.8.22.13 is in the inside of ASA 2? And they are connected by a vpn tunnel?

If so you need to make sure this traffic is part of your crypto acl's for the tunnel.

example.

access-list vpn extended permit ip 10.8.20.0 255.255.255.0 10.8.22.0 255.255.255.0

and on the other ASA

access-list vpn extended permit ip 10.8.22.0 255.255.255.0 10.8.20.0 255.255.255.0

You'd also need to make a nat exemption for the traffic on each end.

access-list nonatdmz extended permit ip 10.8.20.0 255.255.255.0 10.8.22.0 255.255.255.0

nat (dmz) 0 access-list nonatdmz

and on the other ASA

access-list nat0 extended permiit ip 10.8.22.0 255.255.255.0 10.8.20.0 255.255.255.0

New Member

Access from DMZ in one location to Inside at another location -

Yes, they are connected by a VPN tunnel.

Host 10.8.20.10 is in DMZ on ASA 1.

Host 10.8.22.13 is in Inside (LAN) on ASA 2.

The communication is fine between these two ASA's over the VPN.

I had entered the below commands on ASA 1.

access-list dmz_access_in extended permit tcp host 10.8.20.10 host 10.8.22.13 eq 9876

access-list dmz_access_in extended permit udp host 10.8.20.10 host 10.8.22.13 eq 9876

Please let me know what should I do now.

New Member

Access from DMZ in one location to Inside at another location -

Seems like a routing issue Seshi.

Try a host route and check if you do not want to take the risk of disturbing your setup.

Cheers

Arun

486
Views
0
Helpful
5
Replies
CreatePlease to create content