How to config firewall if accessing from dmz to inside lan

Hi everyone,
Hope you can help on this.
We have a ASA with IOS 8.44. We just configured a dmz zone. Now we try to access a share of a windows server in INSIDE interface from another windows server in dmz, So on the server in DMZ, I will type \\INSIDE_Server\SharedName (or \\ip_of_inside server\SharedName) to access the share.
On the firewall, I open tcp port 137, 138, 139, and 445 to allow from DMZ to access to Inside server. But I failed. So what do I need to configure so that I can complete my task?
Also, we have some internal DNS in INSIDE interface. How do I make my DMZ server to use the inside DNS servers for dns resolution?
Hope you can help. Thank you!
Takami Chiro

Hi Jcarvaja,
Thank you very much. Finally I could run the command for the troubleshoot. And the following is the result:
esult of the command: "packet-tracer input dmz2 udp 172.20.0.49 1025 10.10.0.9 53"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.0.0 255.255.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group dmz2_acl in interface dmz2
access-list dmz2_acl extended deny ip any 10.0.0.0 255.0.0.0
Additional Information:
Result:
input-interface: dmz2
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So to do so...does it mean I need to allow tcp 53 from dmz that server to inside the DNS server?
Thank you very much again...

Similar Messages

HT2534 How do I turn off access from the App Store to my credit card?

How do I turn off access from App Store to my credit card?

try follow those instructions
http://support.apple.com/kb/ht1918

Static translation from dmz to inside on Asa 8.6

Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
Sent from Cisco Technical Support iPad App

Hi,
The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.
So if you for example have the following interfaces
outside
lan1
lan2
dmz
If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)
Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.
So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside
object network DMZ-STATIC
host 192.168.1.7
nat (dmz1,outside) static x.x.x.x dns
For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.
You can always post some configurations if you want someone to take a look through them.
- Jouni

How to connect to MS Access from servlet uploaded in TOMCAT server

Hi,
I want to access MS Access from servlet .I use TOMCAT server.I want to know what should i do.How to get drivers and how to set class path for them.
Please help me in finding the solution
thanks and Regards

HI,
try this
<Code>
response.setContentType(CONTENT_TYPE);
 PrintWriter out = response.getWriter();
 java.sql.DatabaseMetaData dm = null;
 java.sql.ResultSet rs = null;
 try
 Class.forName("sun,jdbc.odbc.JdbcOdbcDriver");
 Connection con = java.sql.DriverManager.getConnection("jdbc:odbc:dsnName","","");
 dm = con.getMetaData();
 out.println("<html>");
 out.println("<head><title>Servlet1</title></head>");
 out.println("<body bgcolor=\"lightblue\">");
 if(con!=null){
 dm = con.getMetaData();
 out.println(" Driver Information");
 out.println("\n\t Driver Name: "+ dm.getDriverName());
 out.println("\n\t Driver Version: "+ dm.getDriverVersion ());
 out.println("\n\t Database Information ");
 out.println("\n\t Database Name: "+ dm.getDatabaseProductName());
 out.println("\n\t Database Version: "+ dm.getDatabaseProductVersion());
 out.println("\n\t Avalilable Catalogs ");
 rs = dm.getCatalogs();
 while(rs.next()){
 out.println(" \tcatalog: "+ rs.getString(1));
 out.println("\n\t conURL =" + conURL);
 out.println("\n\t Title = Database");
 rs.close();
 rs = null;
 con.close();
 }else {
 out.println("Error: No active Connection");
 }catch(ClassNotFoundException e) {
 out.println("Coudn't laod the database driver: " + e.getMessage());
 } catch(SQLException e) {
 out.println("SQLException caught: " + e.getMessage());
 try {
 if (con != null)
 con.close();
 if (rs != null)
 rs.close();
 catch (SQLException ignored) {}
 finally {
 try {
 if (con != null)
 con.close();
 if (rs != null)
 rs.close();
 catch (SQLException ignored) {}
</Code>
Sachin

Ports Required for SMTP access from DMZ

We have a Windows 2000 Adv Server on a DMZ interface of a PIX firewall. We are using native Windows SMTP services as a Front End server for Exchange mail. Our Exchange server has a SmartHost entry that sends outbound mail to the server on the DMZ. Our MX record points to the server on the DMZ for inbound traffic.
We originally allowed DNS resolution and SMTP (Port 25) traffic to the server. We've done this numerous times from the Internal interface of the PIX. Yet, there apparently is at least one other port that needs to be opened up because the mail stays in the Queue of the SMTP server on the DMZ. We got around the problem by opening up all outbound ports from that server.
My question is: "Does anyone know what ports are required for an SMTP server to work on a PIX DMZ?"
Thanks

Should just be TCP/25 and probably DNS (UDP/53). Probably the easiest way to figure out what other port it's using is to look at the active connections from this going through your PIX.
Let's say the IP address of the mail server is 10.1.1.1. Doing:
sho conn | include 10.1.1.1
will give you all the connections. This will tell you where it's connectig to and on what ports. The output will look something like:
FW1(config)# sho conn | incl 10.1.1.1
UDP out 10.2.2.1:17127 in 10.1.1.1:10655 idle 0:01:23 Bytes 1000
UDP out 10.2.2.1:18733 in 10.1.1.1:10477 idle 0:01:38 Bytes 1000
UDP out 10.3.3.2:18429 in 10.1.1.1:10789 idle 0:01:10 Bytes 1000
The numbers after the colons are the port numbers on the connection. Of course yours will show TCP and port 25 (and something else hopefully), but you get the idea.

How is a client certificate accessed from a servlet that received a SSL3 enabled client-side cert required request

I would like to know the variables in the http header that hold the client cert information simillar to SSL_CLIENT_CERT variable in apache and how do I access these from a servlet ?

I would like to know the variables in the http header that hold the client cert information simillar to SSL_CLIENT_CERT variable in apache and how do I access these from a servlet ?

How to prevent/allow admin access from certain ip address.

Hello
trying to setup the following scenario:
have a user BOB created in Cisco ACS 4.2
have several network devices with different management IP addresses all added in Cisco ACS 4.2
want to be able to allow BOB to access network devices only if BOB's access request is coming from one ip address 1.1.1.1
If BOB is trying to access network devices from any other ip addresses, the request should be denied regardless of the fact that BOB has full access to all network devices.
Is there a way to acomplish this using Cisco ACS 4.2
Appreciate your input.
Regards,

It is actually possible, thanks for your doc reference:
in ACS setup AAA client user will be allowed to call from
in ACS setup NAR (devices you want to allow access to);
create user in ACS
configure user access in ACS:
     allow access to required NARs
     define IP - based access restrictions
          Permitted calling / point of access locations
               enter AAA client from which user will call (* for ports and * for ip address)
Save and test
In failed attempts you should see Authentication failure code "Users access filtered" when trying to login to NAR devices with new username and from non-permitted calling client/ip address.
Thanks for you help.

How to share internet access from iPhone with home LAN

Hello,
Sorry if this has been asked before, but I just bought an iPhone and am trying to use it to provide internet access to a LAN at my cottage where only dial-up is possible with my ISP. Although this is easily accomplished by enabling internet sharing on my iMac and plugging it into my router's WAN port, I do not have any access to my IP printer or to my SONOS music system. Any pointers?
Thanks,
Martin Girard

Well, getting internet access for my iMac is straightforward using USB tethering (I live in Canada, no AT&T crap). Then, I can share this connection with other computers (via ethernet in my case) by enabling internet sharing (in the Sharing control panel). My problem is that once I plug my iMac in the WAN port of my router, I can't access my LAN anymore. Any ideas???

How to configure for Internet access from USB EV-DO wireless broadband stick

I have WRT120N and I installed it in my office which has three computers (wired) that I've connected to the WRT120N. They all can communicate with one another. What I need to do is share the EV-DO connection (USB Stick) I have on of of these computers with the others and also with the devices that connect over the Wi-Fi.
Thank you!
Nahom

Are you trying to share the Internet connection using EV-DO and WRT120N?

How to define an itab based from a structure inside a class

Hello Experts,
How can I define an internal table based from a structure that
is declared inside a class?I want to define it in the START-OF-SELECTION event.
I'll create a scenario below:
*       CLASS lcl_main DEFINITION
CLASS lcl_main DEFINITION ABSTRACT.
PUBLIC SECTION.
    TYPES: BEGIN OF t_vbak,
          vbeln TYPE vbak-vbeln,
          erdat TYPE vbak-erdat,
          ernam TYPE vbak-ernam,
          auart TYPE vbak-auart,
          kunnr TYPE vbak-kunnr,
          vkgrp TYPE vbak-vkgrp,
         END OF t_vbak.
ENDCLASS.                    "lcl_main DEFINITION
START-OF-SELECTION.
*Here i want to define an internal table based from the structure T_VBAK.
Hope you could help me out here guys. Thank you and take care!

.

How to load a xml file from a package inside of a jar file

hi@all
my application has got a xml configuration file which is saved inside the package tree of the class that reads this file.
when i`m developing using eclipse the class can find that file, everything works fine. but when i create a jar file of my application to use it in another application it cannot find that file anymore.
can anyone tell me how to solve this problem, please?
thx a lot
dialsc

hi all,
the xml file is in the jar file and
ClassLoader.getSystemResourceAsStream(..) solved my problem.
in fact i did nameOfClassInSamePackageAsXmlFile.class.getResourceAsStream("nameOfFile.xml");thank you all
greez
dialsc

ASA 5505, how to configure DMZ to Inside traffic flows

Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.

What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
router up 100 days 1 hour
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0         : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1         : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2         : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3         : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4         : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5         : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6         : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7         : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has a Base license.
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013

How to config BSP to run in public network

Dear BSP experts
I am new to BSP development , i have create one BSP application , and test ok in SAP , and got the URL of the BSP ,it can be tested within our company using the URL , but not outside . so do i need to config something so i can run this BSP application anywhere ? and how ? thanks
Best Regards
Jacky

Hi Jacky,
You need to assign public IP to your SAP system to be accessed from internet (outside your LAN) and the domain name to be assigned to the server and registered in DNS.
Otherwise, use web dispatcher to catch and redirect the requests to SAP server.
Regards,
Ravi

Need help with ASA 5512 and SQL port between DMZ and inside

Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: end

Hi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-)

How to configure firewall access for ASA 5510

Hi,
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
I want to do this using ASDM, How do I accomplish this?
Thanks,
Jojo

Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
•1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
•2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall". Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules". You should see a list of access rules applied to your ASA.
•3.      At the top you should see a green "+Add" to add a new access rule to your ASA. Once clicked you should identify…
     •a.      Interface - INSIDE or OUTSIDE
     •b.      Action - PERMIT or DENY
     •c.      Source - Subnet that needs to talk to destination address
     •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
     •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
•4.     You can then enter a description of the specific access rule and enable logging.
This should be it... let me know how this works out for you!!

How to config firewall if accessing from dmz to inside lan

Similar Messages

Maybe you are looking for