Re: [fw-wiz] DMZ to INSIDE Communication
- From: "Ian Mahuron" <mahuron@xxxxxxxxx>
- Date: Wed, 24 Oct 2007 07:24:48 -0700
Sorry for the late reply.
Chris, you've confused the idea of a real IP vs a NAT IP. The real IP
(Cisco calls this the local IP) is the IP you've configured on the
host. That NAT would be the alternative IP you're exposing on other
interfaces. I don't mean to nitpick but I believe this will help you
to better communicate should you need to use this list in the future
(or should someone other than you have to work with the wonky names in
your policy!).
The missing static sticks out like a sore thumb. This seems to catch
every new PIX/ASA admin so don't feel bad. Hopefully you found the
problem by reading the manual. It's very important to understand how
translation works on a PIX/ASA. Every connection requires an xlate.
This means that each ACE in an interface ACL will need a matching
static or nat.
There is rarely ever a good reason to perform translation between your
DMZ and inside networks. Your firewall is perfectly capable of
routing between the networks. You should require, at most, one static
for them to communicate. This would read something along the lines
of:
static (inside, DMZ) <inside netid> <inside netid> netmask <inside netmask>
This is often referred to as an identity NAT.
Granular identity NATs should be avoided. Some people appear to use
them as an added security measure but this is poor practice.
If you haven't already, you should apply an ACL to your DMZ and inside
interfaces.
Finally, Anthony is absolutely correct. AFAIK, there is _no way_ to
have a functioning dmz _and_ inside (assuming you want them to be able
to chat) with a base license on a 5505. I spent a good hour trying to
work around it. It's too bad as it would make for a very sweet budget
firewall. The license that removes this limitation is considerably
more money (2x).
Ian
On 10/15/07, Anthony <ez4me2c3d@xxxxxxxxx> wrote:
So you weren't running into the issue of the base license not allowing_______________________________________________
DMZ initiated traffic to the inside network?
"With the Base platform, communication between the DMZ VLAN and the
Inside VLAN is restricted: the Inside VLAN is permitted to send traffic
to the DMZ VLAN, but the DMZ VLAN is not permitted to send traffic to
the Inside VLAN."
http://cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html#wp1101628
Anthony
chris mr wrote:
Thanks for your help...
I had to add another static into the ASA and ACL on DMZ in.
mail.domain.com = 12.x.x.x
EXCHANGE1 = natted ip of Exchange on inside
static (inside,DMZ) tcp 12.x.x.x smtp EXCHANGE1 smtp netmask 255.255.255.255
____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: [fw-wiz] Eggs in one basket (VPN in Firewall, UTM)
- Next by thread: [fw-wiz] Firewall Administration Survey
- Index(es):
Relevant Pages
|
