• Advertisement

Permit traffic from INSIDE to DMZ

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Permit traffic from INSIDE to DMZ

Postby biggle » Mon Mar 25, 2013 3:31 am

Hi all

I am having trouble permitting traffic from inside to DMZ and DMZ to inside,
I have a PAT translate from inside to outside for internet access,
I equally have traffic comming from OUTSIDE to INSIDE,
My Inside network is 10.6.0.0 255.255.0.0
my outside network is 10.6.1.0 255.255.255.0
traffic from outside to inside in 10.6.60.0 255.255.255.0 through a mux using 10.6.1.3 255.255.255.0
below is my config
access-list BSIC_to_MOUD extended permit ip 10.6.3.0 255.255.255.0 Moundou 255.255.255.0
access-list BSIC_to_MOUD extended permit ip 10.6.3.0 255.255.255.0 TESTMOUNDOU 255.255.255.0
access-list BSIC_to_MOUD extended permit ip 10.6.2.0 255.255.255.0 10.6.61.0 255.255.255.0
access-list BSIC_to_MOUD extended permit udp 10.6.2.0 255.255.255.0 10.6.61.0 255.255.255.0
access-list BSIC_to_MOUD extended permit ip 10.6.2.0 255.255.255.0 TESTMOUNDOU 255.255.255.0
access-list BSIC_to_MOUD extended permit ip 10.6.3.0 255.255.255.0 10.76.0.0 255.255.255.0
access-list DMZ_to_INSIDE extended permit ip 10.76.0.0 255.255.255.0 10.6.3.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp Moundou 255.255.255.0 10.6.3.0 255.255.255.0
access-list OUTSIDE_access_in extended permit ip Moundou 255.255.255.0 10.6.3.0 255.255.255.0
access-list OUTSIDE_access_in extended permit icmp Moundou 255.255.255.0 10.6.3.0 255.255.255.0
access-list OUTSIDE_access_in extended permit ip TESTMOUNDOU 255.255.255.0 10.6.3.0 255.255.255.0
access-list OUTSIDE_access_in extended permit ip 10.6.61.0 255.255.255.0 10.6.2.0 255.255.255.0
access-list OUTSIDE_access_in extended permit udp 10.6.61.0 255.255.255.0 10.6.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu DMZ1 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list BSIC_to_MOUD
nat (INSIDE) 1 10.6.0.0 255.255.0.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group DMZ_to_INSIDE in interface DMZ
rip OUTSIDE passive version 2
rip INSIDE passive version 2
rip DMZ passive version 2
route OUTSIDE 10.6.61.0 255.255.255.0 10.6.1.1 1
route OUTSIDE Moundou 255.255.255.0 10.6.1.1 1
route OUTSIDE 0.0.0.0 0.0.0.0 10.6.1.2 1
route OUTSIDE 0.0.0.0 0.0.0.0 10.6.1.1 1
biggle
Hello I'm new here
 
Posts: 3
Joined: Mon Mar 25, 2013 3:03 am

Advertisement

Re: Permit traffic from INSIDE to DMZ

Postby john » Mon Mar 25, 2013 9:10 pm

Your inside and outside networks are conflicting.

My Inside network is 10.6.0.0 255.255.0.0
my outside network is 10.6.1.0 255.255.255.0

Is your inside network 10.6.0.0 255.255.255.0?
john
Site Admin
 
Posts: 18
Joined: Wed Apr 27, 2011 8:06 pm

Re: Permit traffic from INSIDE to DMZ

Postby biggle » Tue Mar 26, 2013 4:25 am

john wrote:Your inside and outside networks are conflicting.

My Inside network is 10.6.0.0 255.255.0.0
my outside network is 10.6.1.0 255.255.255.0

Is your inside network 10.6.0.0 255.255.255.0?



My Inside Network is 10.6.0.0 255.255.0.0 not 10.6.0.0 255.255.255.0
Traffic from Inside to the internet router which is 10.6.1.2 works ok,
Traffic from Outside (10.6.60.x/24, 10.6.61.x/24) to inside (10.6.0.0/16) works ok,
I want to get traffic from Inside (10.6.3.x/24) to DMZ (10.76.0.x/24) what to do?
biggle
Hello I'm new here
 
Posts: 3
Joined: Mon Mar 25, 2013 3:03 am

Re: Permit traffic from INSIDE to DMZ

Postby john » Tue Mar 26, 2013 6:57 am

I am very surprised it would let you configure that. Those networks are completely overlapping.

If that is not the reason, What security levels have you assigned to each interface?

Example

Outside interface 1
DMZ interface - 50
Internal interface one 90
Internal interface two 91

1 is the least secure interface and 90-91 are the most secure interface.
john
Site Admin
 
Posts: 18
Joined: Wed Apr 27, 2011 8:06 pm

Re: Permit traffic from INSIDE to DMZ

Postby biggle » Tue Apr 02, 2013 7:10 am

john wrote:I am very surprised it would let you configure that. Those networks are completely overlapping.

If that is not the reason, What security levels have you assigned to each interface?

Example

Outside interface 1
DMZ interface - 50
Internal interface one 90
Internal interface two 91

1 is the least secure interface and 90-91 are the most secure interface.


Hi John
Security levels are as follows;
Outside interface SL 0
DMZ interface SL 10
Inside interface SL 100

Inside with SL 100 is the most secured.
biggle
Hello I'm new here
 
Posts: 3
Joined: Mon Mar 25, 2013 3:03 am



  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: Bing [Bot] and 2 guests