Announcement

Collapse
No announcement yet.

Cisco ASA 5510 - Allow traffic from dmz to inside

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5510 - Allow traffic from dmz to inside

    Hi,
    I want enable trafic from a dmz server 172.16.1.19 to a lan host 192.168.0.18 for LDAP connection.

    I tried with this:
    static (inside,dmz) 172.16.2.18 192.168.0.18 netmask 255.255.255.255
    access-list DMZtoInside extended permit udp host 172.16.1.19 host 172.16.2.18 eq 389
    access-group DMZtoInside in interface dmz


    When I apply access-group I can connect to lan from dmz host but from dmz host I loose internet connection.


    Where is the problem?


    this is my config:


    ASA Version 8.2(3)
    !
    name 192.168.0.0 RETE-LOCALE
    name 172.16.1.0 RETE-DMZ
    name 172.20.0.3 INT-OUTSIDE
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address INT-OUTSIDE 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.244 255.255.255.0
    !
    interface Ethernet0/2
    nameif dmz
    security-level 10
    ip address 172.16.1.10 255.255.255.0
    !
    same-security-traffic permit intra-interface
    access-list acl_in extended permit tcp any host INT-OUTSIDE eq www
    access-list No.Nat extended permit ip RETE-DMZ 255.255.255.0 192.168.11.0 255.255.255.0 #used for VPN
    access-list acl_dmz extended deny tcp any any eq smtp log inactive
    access-list acl_dmz extended permit ip any any
    access-list acl_internet extended permit ip RETE-LOCALE 255.255.255.0 RETE-DMZ 255.255.255.0
    access-list acl_internet extended permit tcp RETE-LOCALE 255.255.255.0 host xxx.xxx.xxx.xxx
    access-list MAILSERVER extended permit ip RETE-LOCALE 255.255.255.0 host xxx.xxx.xxx.xxx
    global (outside) 2 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list No.Nat
    nat (inside) 2 access-list MAILSERVER
    nat (inside) 1 RETE-LOCALE 255.255.255.0
    nat (dmz) 0 access-list No.Nat
    nat (dmz) 2 RETE-DMZ 255.255.255.0
    static (dmz,outside) tcp interface www 172.16.1.19 www netmask 255.255.255.255
    access-group acl_in in interface outside
    access-group acl_internet in interface inside
    route outside 0.0.0.0 0.0.0.0 172.20.0.1 1
    http RETE-LOCALE 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside

    Thanks

    Giacomo

  • #2
    Re: Cisco ASA 5510 - Allow traffic from dmz to inside

    You loose internet because of your ACL on the dmz interface.


    access-list DMZtoInside extended permit udp host 172.16.1.19 host 172.16.2.18 eq 389

    Remember the implicit deny at the end of the ACL

    access-list DMZtoInside extended permit tcp host 172.16.1.19 any eq www
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco ASA 5510 - Allow traffic from dmz to inside

      Thanks,
      I added this
      access-list DMZtoInside extended permit tcp any any

      because in dmz network there are a lot of server that must be enables to access internet.

      It doesn't work and I added this:
      access-list DMZtoInside extended permit udp any any
      access-list DMZtoInside extended permit ip any any

      Now it work but I have another problem:
      all lan pc's can connect internet by a proxy (squid) located in dmz (172.16.1.14).

      All lan pc's can connect to internet via proxy but 192.168.0.18 no: it receive access denied from squid.

      It'a problem related to the static?

      Thanks

      Comment


      • #4
        Re: Cisco ASA 5510 - Allow traffic from dmz to inside

        Where is the 192.168.0.18 host located? Off of what interface? Post a full config.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco ASA 5510 - Allow traffic from dmz to inside

          it's located in LAN (inside interfce);
          proxy squid (172.16.1.14) is located in dmz

          Thanks
          Giacomo

          Comment


          • #6
            Re: Cisco ASA 5510 - Allow traffic from dmz to inside

            Is this static still in the config?

            static (inside,dmz) 172.16.2.18 192.168.0.18 netmask 255.255.255.255


            This says translate anything from 192.168.0.18 coming in the inside interface to 172.16.2.18 going to the dmz interface.

            Your dmz interface is in the 172.16.1.0 subnet but the static nat says to translate to 172.16.2.18? Typo maybe?


            Just remove that static and it will PAT to the dmz interface like the rest of your hosts.

            nat (inside) 1 RETE-LOCALE 255.255.255.0
            global (dmz) 1 interface
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X