problem to enter from inside to dmz

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

problem to enter from inside to dmz

Post by Guest » Thu Jan 06, 2005 9:20 pm

HiIn my inside network we have more than 2 vlans  and we want that the inside network access to the server that are in the dmz.I have try many ways and i would like if some can help to understand  how i have to do it.dmz network: 192.169.120.0 255.255.255.0 object-group LAN172.10.10.0 /24172.10.20.0 /24172.10.30.0 /24 access-list Inside extended permit ip object-group LAN 192.169.120.0 255.255.255.0access-list DMZ extended permit ip any anyaccess-group Inside in interface insideaccess-group DMZ in interface dmzfor example we made this:access-list INSIDE extended permit ip host 192.168.120.5 192.168.120.0 255.255.255.240 access-list DMZ extended permit ip any anystatic inside,DMZ 192.168.120.5 172.10.10.4 netmask 255.255.255.255the ip 172.10.10.4  pc of my inside networkwitch that example y could access to dmz switch. but when i tray to to this: static (inside,DMZ) access-lis INSIDE  172.10.10.4 netmask 255.255.255.255 I have and error : ERROR: access-list used in static has different local addresses Thanks for any help that can provide me.

Guest

Re:problem to enter from inside to dmz

Post by Guest » Thu Jan 06, 2005 9:22 pm

Hello, If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example: The same NAT you have for internet access (In case you have) would be like this: nat (inside) 1 0 0global (outside) 1 interface You can just add the following global global (DMZ) 1 interface Same as the other cases, best troubleshooting tool to check where the access is being broken, packet-tracer input inside tcp <inside_ip> 1025 <dmz_ip> 80 That would give you the information about the packet, where and when it is being dropped. Cheers Mike.

Guest

Re:problem to enter from inside to dmz

Post by Guest » Thu Jan 06, 2005 9:38 pm

Hi Mike, I do had the same problem, and it got resolved by your answer given for this post. Thank you Very Much RegardsKiran Kumar CH

Guest

Re:problem to enter from inside to dmz

Post by Guest » Thu Jan 06, 2005 10:11 pm

Hello,Thanks for ur help. 1. So  if i want that interface that have a higher level go to a lower level  i have to  make a simple PAT   as you said,I did what u said and works but  with that configuration  pc on the dmz can enter to inside or i have to do something else?. 2.If  i want  that only pc from dmz access to inside  what  i have to do  because i want to access from lower interface to higher interface ?  Regards

Post Reply