Re: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network

First of all, you need to allow ICMP in your access-list for ping to work
between DMZ2 and inside. So add this line:

access-list acl_DMZ2_to_INSIDE extended permit icmp any any
or replace the entire access-list with:

access-list acl_DMZ2_to_INSIDE extended permit ip any any

The static in your config seems a bit odd, try replacing it with this one:

static (inside,DMZ2) netmask

This basically says that all inside hosts should be reachable by their own
IP address in DMZ2, presuming the access list allows the traffic.


Arne Svennevik J

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Manoj
Sent: Monday, October 06, 2008 4:28 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network

Hi All,
I am trying configure giving DMZ to access everything in internal network. I
have configuration bellow for DMZ to internal but I cannot ping to either of
network. Is this allow with ASA ver 8.0? Am I doing something wrong?
Any help would be greatly appreciated.

Thanks in advance.


interface Vlan1
description For XXXX Network
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Bitddd
ip address pppoe setroute
interface Vlan3
description for Back Office Network
nameif DMZ1
security-level 100
ip address
interface Vlan4
description DMZ2 for XXX Network
nameif DMZ2
security-level 75
ip address

interface Ethernet0/0
description To Outside
switchport access vlan 2
interface Ethernet0/1
description To XXX Network
interface Ethernet0/2
description To Inside Back Office Network
switchport access vlan 3
interface Ethernet0/3
description To XXX Network
switchport access vlan 4

access-list acl_DMZ2_to_INSIDE extended permit tcp any any
access-list acl_DMZ2_to_INSIDE extended permit udp any any

global (outside) 1 interface
global (DMZ1) 1 interface
global (DMZ2) 1 interface
global (DMZ3) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (DMZ1) 1
nat (DMZ2) 1
nat (DMZ3) 1
static (inside,DMZ2) netmask

access-group acl_DMZ2_to_INSIDE in interface DMZ2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply DMZ1
icmp permit any echo DMZ1
icmp permit any echo-reply DMZ2
icmp permit any echo DMZ2
icmp permit any echo-reply DMZ3
icmp permit any echo DMZ3

firewall-wizards mailing list