Firewall Wizards mailing list archives
Re: DMZ to INSIDE Communication
From: "Ian Mahuron" <mahuron () gmail com>
Date: Wed, 24 Oct 2007 07:24:48 -0700
Sorry for the late reply. Chris, you've confused the idea of a real IP vs a NAT IP. The real IP (Cisco calls this the local IP) is the IP you've configured on the host. That NAT would be the alternative IP you're exposing on other interfaces. I don't mean to nitpick but I believe this will help you to better communicate should you need to use this list in the future (or should someone other than you have to work with the wonky names in your policy!). The missing static sticks out like a sore thumb. This seems to catch every new PIX/ASA admin so don't feel bad. Hopefully you found the problem by reading the manual. It's very important to understand how translation works on a PIX/ASA. Every connection requires an xlate. This means that each ACE in an interface ACL will need a matching static or nat. There is rarely ever a good reason to perform translation between your DMZ and inside networks. Your firewall is perfectly capable of routing between the networks. You should require, at most, one static for them to communicate. This would read something along the lines of: static (inside, DMZ) <inside netid> <inside netid> netmask <inside netmask> This is often referred to as an identity NAT. Granular identity NATs should be avoided. Some people appear to use them as an added security measure but this is poor practice. If you haven't already, you should apply an ACL to your DMZ and inside interfaces. Finally, Anthony is absolutely correct. AFAIK, there is _no way_ to have a functioning dmz _and_ inside (assuming you want them to be able to chat) with a base license on a 5505. I spent a good hour trying to work around it. It's too bad as it would make for a very sweet budget firewall. The license that removes this limitation is considerably more money (2x). Ian On 10/15/07, Anthony <ez4me2c3d () gmail com> wrote:
So you weren't running into the issue of the base license not allowing DMZ initiated traffic to the inside network? "With the Base platform, communication between the DMZ VLAN and the Inside VLAN is restricted: the Inside VLAN is permitted to send traffic to the DMZ VLAN, but the DMZ VLAN is not permitted to send traffic to the Inside VLAN." http://cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html#wp1101628 Anthony chris mr wrote:Thanks for your help... I had to add another static into the ASA and ACL on DMZ in. mail.domain.com = 12.x.x.x EXCHANGE1 = natted ip of Exchange on inside static (inside,DMZ) tcp 12.x.x.x smtp EXCHANGE1 smtp netmask 255.255.255.255 ____________________________________________________________________________________ Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos. http://autos.yahoo.com/index.html _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DMZ to INSIDE Communication Ian Mahuron (Nov 28)