Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
1 post • Page 1 of 1
HiIn my inside network we have more than 2 vlans and we want that the inside network access to the server that are in the dmz.I have try many ways and i would like if some can help to understand how i have to do it.dmz network: 220.127.116.11 255.255.255.0 object-group LAN18.104.22.168 /2422.214.171.124 /24126.96.36.199 /24 access-list Inside extended permit ip object-group LAN 188.8.131.52 255.255.255.0access-list DMZ extended permit ip any anyaccess-group Inside in interface insideaccess-group DMZ in interface dmzfor example we made this:access-list INSIDE extended permit ip host 192.168.120.5 192.168.120.0 255.255.255.240 access-list DMZ extended permit ip any anystatic inside,DMZ 192.168.120.5 184.108.40.206 netmask 255.255.255.255the ip 220.127.116.11 pc of my inside networkwitch that example y could access to dmz switch. but when i tray to to this: static (inside,DMZ) access-lis INSIDE 18.104.22.168 netmask 255.255.255.255 I have and error : ERROR: access-list used in static has different local addresses Thanks for any help that can provide me.
Hello, If you want only traffic from the inside to be initiated to the DMZ and not backwards, you can just apply a simple PAT, if the inside interface has a higher security level than the DMZ, for example: The same NAT you have for internet access (In case you have) would be like this: nat (inside) 1 0 0global (outside) 1 interface You can just add the following global global (DMZ) 1 interface Same as the other cases, best troubleshooting tool to check where the access is being broken, packet-tracer input inside tcp <inside_ip> 1025 <dmz_ip> 80 That would give you the information about the packet, where and when it is being dropped. Cheers Mike.
Hello,Thanks for ur help. 1. So if i want that interface that have a higher level go to a lower level i have to make a simple PAT as you said,I did what u said and works but with that configuration pc on the dmz can enter to inside or i have to do something else?. 2.If i want that only pc from dmz access to inside what i have to do because i want to access from lower interface to higher interface ? Regards