ASA 5510 - Allow traffic from dmz to LAN

Discussion in 'Cisco' started by gbottazzi, Feb 29, 2012.

  1. gbottazzi

    gbottazzi

    Joined:
    Feb 29, 2012
    Messages:
    1
    Hi,
    I want enable trafic from a dmz server 172.16.1.19 to a lan host 192.168.0.18 for LDAP connection.

    I tried with this:
    static (inside,dmz) 172.16.2.18 192.168.0.18 netmask 255.255.255.255
    access-list DMZtoInside extended permit udp host 172.16.1.19 host 172.16.2.18 eq 389
    access-group DMZtoInside in interface dmz


    When I apply access-group I can connect to lan from dmz host but from dmz host I loose internet connection.


    Where is the problem?


    this is my config:


    ASA Version 8.2(3)
    !
    name 192.168.0.0 RETE-LOCALE
    name 172.16.1.0 RETE-DMZ
    name 172.20.0.3 INT-OUTSIDE
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address INT-OUTSIDE 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.244 255.255.255.0
    !
    interface Ethernet0/2
    nameif dmz
    security-level 10
    ip address 172.16.1.10 255.255.255.0
    !
    same-security-traffic permit intra-interface
    access-list acl_in extended permit tcp any host INT-OUTSIDE eq www
    access-list No.Nat extended permit ip RETE-DMZ 255.255.255.0 192.168.11.0 255.255.255.0 #used for VPN
    access-list acl_dmz extended deny tcp any any eq smtp log inactive
    access-list acl_dmz extended permit ip any any
    access-list acl_internet extended permit ip RETE-LOCALE 255.255.255.0 RETE-DMZ 255.255.255.0
    access-list acl_internet extended permit tcp RETE-LOCALE 255.255.255.0 host xxx.xxx.xxx.xxx
    access-list MAILSERVER extended permit ip RETE-LOCALE 255.255.255.0 host xxx.xxx.xxx.xxx
    global (outside) 2 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list No.Nat
    nat (inside) 2 access-list MAILSERVER
    nat (inside) 1 RETE-LOCALE 255.255.255.0
    nat (dmz) 0 access-list No.Nat
    nat (dmz) 2 RETE-DMZ 255.255.255.0
    static (dmz,outside) tcp interface www 172.16.1.19 www netmask 255.255.255.255
    access-group acl_in in interface outside
    access-group acl_internet in interface inside
    route outside 0.0.0.0 0.0.0.0 172.20.0.1 1
    http RETE-LOCALE 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside

    Thanks

    Giacomo
     
    gbottazzi, Feb 29, 2012
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jywu1@hotmail.com
    Replies:
    4
    Views:
    3,847
  2. Scott Davis

    ASA 5510 - Routable Addr's for DMZ?

    Scott Davis, Apr 2, 2006, in forum: Cisco
    Replies:
    1
    Views:
    1,282
    Erik Tamminga
    Apr 2, 2006
  3. Cityexplorer
    Replies:
    3
    Views:
    4,179
    Walter Roberson
    Aug 1, 2006
  4. will.i.am
    Replies:
    0
    Views:
    4,068
    will.i.am
    Aug 25, 2006
  5. morten
    Replies:
    4
    Views:
    1,303
    Tilman Schmidt
    Sep 4, 2007
Loading...

Share This Page