Re: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network



First of all, you need to allow ICMP in your access-list for ping to work
between DMZ2 and inside. So add this line:

access-list acl_DMZ2_to_INSIDE extended permit icmp any any
or replace the entire access-list with:

access-list acl_DMZ2_to_INSIDE extended permit ip any any



The static in your config seems a bit odd, try replacing it with this one:

static (inside,DMZ2) 172.24.53.0 172.24.53.0 netmask
255.255.255.0

This basically says that all inside hosts should be reachable by their own
IP address in DMZ2, presuming the access list allows the traffic.





Regards,

Arne Svennevik J





From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Manoj
Kalpage
Sent: Monday, October 06, 2008 4:28 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA 5505 - Allow DMZ to Access Internal network



Hi All,
I am trying configure giving DMZ to access everything in internal network. I
have configuration bellow for DMZ to internal but I cannot ping to either of
network. Is this allow with ASA ver 8.0? Am I doing something wrong?
Any help would be greatly appreciated.

Thanks in advance.

MK

interface Vlan1
description For XXXX Network
nameif inside
security-level 100
ip address 172.24.53.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Bitddd
ip address pppoe setroute
!
interface Vlan3
description for Back Office Network
nameif DMZ1
security-level 100
ip address 172.23.53.1 255.255.255.0
!
interface Vlan4
description DMZ2 for XXX Network
nameif DMZ2
security-level 75
ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0
description To Outside
switchport access vlan 2
!
interface Ethernet0/1
description To XXX Network
!
interface Ethernet0/2
description To Inside Back Office Network
switchport access vlan 3
!
interface Ethernet0/3
description To XXX Network
switchport access vlan 4

access-list acl_DMZ2_to_INSIDE extended permit tcp any any
access-list acl_DMZ2_to_INSIDE extended permit udp any any

global (outside) 1 interface
global (DMZ1) 1 interface
global (DMZ2) 1 interface
global (DMZ3) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.24.53.0 255.255.255.0
nat (DMZ1) 1 172.23.53.0 255.255.255.0
nat (DMZ2) 1 192.168.30.0 255.255.255.0
nat (DMZ3) 1 192.168.100.0 255.255.255.0
static (inside,DMZ2) 192.168.30.0 172.24.53.0 netmask 255.255.255.255

access-group acl_DMZ2_to_INSIDE in interface DMZ2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply DMZ1
icmp permit any echo DMZ1
icmp permit any echo-reply DMZ2
icmp permit any echo DMZ2
icmp permit any echo-reply DMZ3
icmp permit any echo DMZ3

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards