ASA 5505 – connections from inside to dmz not working

Home Forums Networking Cisco Security – PIX/ASA/VPN ASA 5505 – connections from inside to dmz not working

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    mali74
    Member
    #161492

    Hello,

    I have the following configuration on our company firewall (ASA 5505). VPN users can login and use resources in 192.168.0.0/24 network, but can’t access DMZ (10.1.1.0/24). Connection from inside network to DMZ network doesn’t work either.

    I think this somehow refers to nat configuration, but I can’t figure it out. Please, help!

    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    names
    name 192.168.2.96 VPN-network
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    ospf cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 255.255.255.248
    ospf cost 10
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 3
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    switchport access vlan 3
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive

    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group service TCP_2222 tcp
    port-object eq 2222
    object-group service rdp tcp
    port-object eq 3389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN-network 255.255.255.240
    access-list dmz_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 VPN-network 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool company_vpn_users 192.168.2.100-192.168.2.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 0 access-list dmz_nat0_outbound
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (dmz,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 1
    .
    .
    .

    Best regards,
    Markku

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.