Re: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network



First of all, you need to allow ICMP in your access-list for ping to work
between DMZ2 and inside. So add this line:

access-list acl_DMZ2_to_INSIDE extended permit icmp any any
or replace the entire access-list with:

access-list acl_DMZ2_to_INSIDE extended permit ip any any



The static in your config seems a bit odd, try replacing it with this one:

static (inside,DMZ2) 172.24.53.0 172.24.53.0 netmask
255.255.255.0

This basically says that all inside hosts should be reachable by their own
IP address in DMZ2, presuming the access list allows the traffic.





Regards,

Arne Svennevik J





From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Manoj
Kalpage
Sent: Monday, October 06, 2008 4:28 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network



Hi All,
I am trying configure giving DMZ to access everything in internal network. I
have configuration bellow for DMZ to internal but I cannot ping to either of
network. Is this allow with ASA ver 8.0? Am I doing something wrong?
Any help would be greatly appreciated.

Thanks in advance.

MK

interface Vlan1
description For XXXX Network
nameif inside
security-level 100
ip address 172.24.53.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Bitddd
ip address pppoe setroute
!
interface Vlan3
description for Back Office Network
nameif DMZ1
security-level 100
ip address 172.23.53.1 255.255.255.0
!
interface Vlan4
description DMZ2 for XXX Network
nameif DMZ2
security-level 75
ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0
description To Outside
switchport access vlan 2
!
interface Ethernet0/1
description To XXX Network
!
interface Ethernet0/2
description To Inside Back Office Network
switchport access vlan 3
!
interface Ethernet0/3
description To XXX Network
switchport access vlan 4

access-list acl_DMZ2_to_INSIDE extended permit tcp any any
access-list acl_DMZ2_to_INSIDE extended permit udp any any

global (outside) 1 interface
global (DMZ1) 1 interface
global (DMZ2) 1 interface
global (DMZ3) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.24.53.0 255.255.255.0
nat (DMZ1) 1 172.23.53.0 255.255.255.0
nat (DMZ2) 1 192.168.30.0 255.255.255.0
nat (DMZ3) 1 192.168.100.0 255.255.255.0
static (inside,DMZ2) 192.168.30.0 172.24.53.0 netmask 255.255.255.255

access-group acl_DMZ2_to_INSIDE in interface DMZ2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply DMZ1
icmp permit any echo DMZ1
icmp permit any echo-reply DMZ2
icmp permit any echo DMZ2
icmp permit any echo-reply DMZ3
icmp permit any echo DMZ3

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network
    ... I am trying configure giving DMZ to access everything in internal network. ... interface Vlan1 ... icmp permit any echo-reply inside ...
    (Firewall-Wizards)
  • Re: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network
    ... I'll initially set aside why you'd want to allow any of your DMZ ... of a request leaving a DMZ network to enter the inside network. ... interface without an explicit ACL. ... icmp permit any echo-reply inside ...
    (Firewall-Wizards)
  • Re: PIX 501 routing issues
    ... side of the interface and nothing else. ... The PIX can ping each computer. ... icmp permit any echo-reply outside ...
    (comp.dcom.sys.cisco)
  • Re: Quick help: PIX 501 and Port Forwarding
    ... interface ethernet0 10baset ... icmp permit any outside ... No ACL issues. ... it is maybe interesting to mention that I do not see any packets ...
    (comp.dcom.sys.cisco)
  • Re: PIX 501 routing issues
    ... side of the interface and nothing else. ... PIX as its default gateway; the outside computer has a non-existent ... The PIX can ping each computer. ... icmp permit 10.10.10.0 255.255.255.0 inside ...
    (comp.dcom.sys.cisco)