Solved: ASA5505 DMZ to LAN Access

james.hon · ‎06-27-2012

Hi, I wonder if anyone has a quick solution to my problem here. We have multiple servers on the DMZ (192.168.2.0/24) but they cannot access any resources in the Inside, by default. We would like to open up a Syslog server from the Inside (10.1.1.5) to the DMZ servers, so we can collect system log from the servers. What's the best way to configure this?

Thanks.

mvsheik123 · ‎06-27-2012

Hi,

Standard syslog servers use udp/514. Once you configure the syslog IP in your DMZ servers, connection will be inititiated from DMZ to Inside syslog server. You need to configure accesslist to alllow this..

!

access-list DMZ2IN extended permit udp 192.168.2.0 255.255.255.0 host 10.1.1.5 eq 514

!

You may already have an existing ACL for DMZ servers to access internet. So apply in proper order.

hth

MS

View solution in original post

mvsheik123 · ‎06-27-2012

Hi,

Standard syslog servers use udp/514. Once you configure the syslog IP in your DMZ servers, connection will be inititiated from DMZ to Inside syslog server. You need to configure accesslist to alllow this..

!

access-list DMZ2IN extended permit udp 192.168.2.0 255.255.255.0 host 10.1.1.5 eq 514

!

You may already have an existing ACL for DMZ servers to access internet. So apply in proper order.

hth

MS

james.hon · ‎06-27-2012

Thank you very much for your help. I just realized that there is a license restriction on our 5505 to allow DMZ to Inside access, since it was setup to allow DMZ to outside already.