Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA (8.4) ACL / NAT query.

Hi,

i have to allow machine in my DMZ across Cisco ASA (version 8.4) to be able to access inside machine.

Source 192.168.85.117 must be able to access complete secure inside 10.80.10.0/23 on port smtp but all other DMZ machine should not be able to access inside 10.80.10.0/23

i created as below.

object network obj-static-identity-10.80.10.0

subnet 10.80.10.0 255.255.254.0

nat (inside,dmz) 1 source static  obj-static-identity-10.80.10.0 obj-static-identity-10.80.10.0

access-list DMZ line 111 extended permit tcp host 192.168.85.117 10.80.10.0 255.255.255.0 eq smtp

 

Now when i put this line , access from Source 10.80.10.x/23 complete network towards DMZ is lost, like no one can access DMZ at all.

access-list DMZ line 117 extended deny ip  any 10.80.10.0 255.255.254.0  ( this ACL in on DMZ In direction )

if i dont do above line, then how can i secure my inside from rest of DMZ sources.

Please note there is a line in DMZ at the end, that is

access-list DMZ line 118 extended permit ip 192.168.85.0 255.255.255.0 any

We know line 117 is above 118 and cause response packet from DMZ to 10.80.10.0/23 to stop working, but why traffic from 10.80.10.0/23 towards DMZ stops working.

 

Any idea?

 

  • WAN Routing and Switching
28
Views
0
Helpful
0
Replies