Announcement

Collapse
No announcement yet.

Allow Traffic from host on DMZ to host on inside

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Allow Traffic from host on DMZ to host on inside

    I am trying to allow traffic from a Front-Edge Exhange Server Setting in the dmz to the Back-End Exchange Server setting in the inside.

    the Front-Edge Server has IP: 192.168.2.4
    the Back-End Server has IP: 172.16.1.7

    the type of traffic I am interested in from both sides is:
    1. RDP connection
    2. SMTP Traffic
    3. telnet Traffic
    4. Ping traffic

    If I am on the DMZ on the Front-End Server at 192.168.2.4 can I simply RDP or telnet my Back-End Server at 172.16.1.7 through the ASA 5505 without creating mapped IP. just by simply typing 172.16.1.7 in the RDP program to make the connection present?

    --------------------------------------------------------------
    ASA Version 7.2(3)
    !
    hostname ciscoasa
    domain-name ciscoasa.com
    names
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !
    interface Vlan3
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    interface Vlan4
    nameif dmz
    security-level 20
    ip address 192.168.2.1 255.255.255.0
    !
    passwd Ug8g0VU3lmtgMXoJ encrypted
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup dmz
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server my-ISP-DNS
    domain-name ciscoasa.com
    pager lines 24
    mtu inside 1500
    mtu dmz1 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 my-public-ip-range netmask my-public-ip-mask
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz1) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 perimter-router-ip 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bddb41e49f09eee5b6411a002631664f
    : end

  • #2
    Re: Allow Traffic from host on DMZ to host on inside

    Please have a read here. Its best not to have exchange in the dmz.
    CCNA, Network+

    Comment


    • #3
      Re: Allow Traffic from host on DMZ to host on inside

      "Edge" servers are probably fine as I believe the op is talking about 2007 in this scenario (from the ports).
      (Also missing LDAP etc http://technet.microsoft.com/en-us/l.../cc526574.aspx)

      Traffic needs to go to the Hub Transport though not "back end" which I read as Mailbox server.

      If you want to allow traffic from less secure to more secure you need static and acl statements.

      RDP for example:
      static (dmz,inside) tcp 192.168.2.4 3389 172.16.1.7 3389
      access-list inbound_dmz permit tcp host 192.168.2.4 host 172.16.1.7 eq 3389

      and

      access-group inbound_dmz in interface dmz

      At least that is how I remember it as it has been a while....
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Allow Traffic from host on DMZ to host on inside

        hi AndyJG247, thanks for your reply. I liked the posted article you pointed me to. I should by tomorrow be in the company and try the code you provided, I also got the same idea from other friends. I hope it will work smoothly.

        thanks for your help again, once tried it, I will post the results.

        Comment


        • #5
          Re: Allow Traffic from host on DMZ to host on inside

          No problem. Let us know how you get on and if you find any gotchas etc
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Allow Traffic from host on DMZ to host on inside

            OKay, I did today try out the code, I have been provided with the same synatx and idea suggested by AndyJG247. so here is the working syntax:

            access-list dmz_access_in extended permit tcp host 192.168.2.4 host 172.16.1.7 eq 3389
            access-list dmz_access_in extended permit tcp host 192.168.2.4 host 172.16.1.7 eq smtp
            access-list dmz_access_in extended permit tcp host 192.168.2.4 host 172.16.1.7 eq telnet
            access-list dmz_access_in extended permit icmp host 192.168.2.4 host 172.16.1.7 echo
            access-list dmz_access_in extended permit icmp host 192.168.2.4 host 172.16.1.7 echo-reply
            access-group dmz_access_in in interface dmz

            my listed syntax has been provided by S0lo, it doesn't differ a lot from what AndyJG247 suggested. thanks for you both, it was a great help.

            Comment


            • #7
              Re: Allow Traffic from host on DMZ to host on inside

              sorry I forgot to supply the static statement with the Access List:

              static(inside,dmz) 192.168.2.4 172.16.1.7 netmask 255.255.255.0

              Comment

              Working...
              X