Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How to allow DMZ access to LAN with specific port?

Dear all,

I want DMZ1 talk to VLAN99 with port 1433.

Please, find the attached file and comment.

Thanks.

Everyone's tags (3)
2 REPLIES
Hall of Fame Super Bronze

Re: Host in VLAN in Layer 3 cannot connect to Internet through A

Modify the following in the switch:

ip access-list extended DENY_ISA

deny   ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255                                                         

deny   ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255                                                         

deny   ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255 

permit ip any any

interface Vlan124                

ip address 192.168.192.1 255.255.255.0                                      

ip access-group (missing ACL)    

in the ASA:

route LAN 192.168.122.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.123.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.192.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.125.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.126.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.127.0 255.255.255.0 192.168.121.2 1

route LAN 192.168.128.0 255.255.255.0 192.168.121.2 1


Bronze

Host in VLAN in Layer 3 cannot connect to Internet through ASA55

I had a look at your original switch configuration and the acl for vlan 125 is denying everyone, it doesnt have a permit statement at the end.

ip access-list extended DENY_ISA                                

deny   ip 192.168.125.0 0.0.0.255 192.168.122.0 0.0.0.255                                                          

deny   ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255                                                          

deny   ip 192.168.125.0 0.0.0.255 192.168.120.0 0.0.0.255    

It needs a permit statement like Edison mentioned

Also the output of your ASA has some typing mistakes and I wonder if it is because of copy-paste or has been configured like that.

access-list NO-NAT extended permit ip 192.168.1 what network or ip refers too?

access-list DMZ_IN extended deny ip 192.168.120.0 255.255.255.0 192.168.123.0 25                                                                                

5.255.255.0 all other statements have 55.255.255.0

I think you should check the all the typing mistakes first and then change it around.

Eugen

818
Views
5
Helpful
2
Replies
CreatePlease to create content