Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ access to Inside

HI!

I need advice in how to access inside from dmz. I think i get problem with the security when testing diffrent solutions. I would like a safe solution to access the inside from dmz, not opening any security hole. Firewall are ASA 5520 ver 7.04.

interface GigabitEthernet0/3

description Inside interface

nameif Inside

security-level 100

ip address 192.0.0.67 255.255.255.0

interface GigabitEthernet0/2

description DMZ interface

nameif DMZ

security-level 10

ip address 192.0.3.1 255.255.255.0

access-list Inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp host 192.0.3.10 192.0.0.0

255.255.255.0 eq telnet

access-list DMZ_access_in extended permit ip any any

global (Outside) 10 interface

global (DMZ) 10 192.0.3.250 netmask 255.255.255.0

nat (DMZ) 10 192.0.3.0 255.255.255.0

nat (Inside) 10 192.0.0.0 255.255.255.0

access-group DMZ_access_in in interface DMZ

access-group Inside_access_in in interface Inside

static (Inside,DMZ) 192.0.0.0 192.0.0.0 netmask 255.255.255.0

The access works, but it`s not only host 192.0.3.10 that get access to inside as it supposed to do, instead it looks that all hosts on dmz get access with telnet to inside.

static (DMZ,Inside) 192.0.3.10 192.0.3.10 netmask 255.255.255.255

With this command I get message (305005:No translation group found)

Is there any solution with static command to do this. Anyone!!

  • Other Security Subjects
5 REPLIES

Re: DMZ access to Inside

hello

when the dmz network, wants to access lots of hosts on the inside, you need to give a static for the inside subnet.

static (inside,DMZ) 192.0.0.0 192.0.0.0 netmask 255.255.255.0

should work fine. All the hosts on the DMZ are accessing the inside network , because you have given a "access-list DMZ-access_in extended permit ip any any" on your access-list.

Remove this ACL and after that only 3.10 will be able to telnet to the inside.

hope this helps... all the best... rate replies if found useful..

Raj

New Member

Re: DMZ access to Inside

Thanks for your reply. Question! I would like to know how the access-list should be configured when all hosts on DMZ should reach the internet for example. I have to apply http for this to work, but then all the hosts on DMZ get access at the same time to inside with http. This is the problem, when i give the hosts on DMZ access to outside they also get access to inside /regards

Re: DMZ access to Inside

Hello.... best way to allow for internet access is to allow port tcp 80 and udp 53 to go out... access-list being:

access-list dmz permit tcp 192.168.0.0 255.255.255.0 any

access-list dmz permit udp 192.168.0.0 255.255.255.0 host ispdns eq 53

where 192.168.0.0 is the dmz lan ip address, in this example....

in this case, as suggested by you, it will also allow access to inside on port 80.. if you want to block that, put a specific deny prior to the permit statement, as shown below:

access-list dmz deny tcp 192,168.0.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80

access-list permit tcp 192.168.0.0 255.255.255.0 any eq 80

by doing this, any traffic to inside is blocked and the traffic going outside is allowed...

ACL entries are read top to bottom.. so, make sure you add the deny entries on the right place....

hope this helps.. all the best... rate replies if found useful..

Raj

New Member

Re: DMZ access to Inside

Thanks again sachinraja for your reply!

One last question! I wonder if there is at better way to do this, because it probably will be a lot of access-lists. I don`t think this problem exists in the pix? Well, if there is no other solution i will configure it as you explained. /Regards

Re: DMZ access to Inside

you can probably think of configuring "object groups". By doing this, you can identify and collate access-lists to form logical groups. This will anyway not reduce the ACL's, but can give you better control of the ACL's and easier management.

check for Object-groups on the CCO.

Hope this helps. rate replies if found useful.

Regards

Raj

268
Views
3
Helpful
5
Replies