Home | Net Issues | Net How To | Wireless | Case Studies | Articles |  Forums| Services | About Us | Careers | Quick Setup | Contact Us|

Allow all VLANs access DMZ in Cisco ASA

Situation: A client have multiple VLANs in tier network. They setup rule on Cisco ASA to allow LAN 1 to access the DMZ only. Now, they want to allow all VLANs to be able to access the DMZ.

Resolution: run this commands

conf t
global (DMZ) 10 interface

Or run ASDM and NAT Rule as shown below.



Then use pac to check the status as shown below.

ASA5510# pac in inside tcp 10.2.0.45 1025 172.254.0.3 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.254.0.0 255.255.255.0 DMZ

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 10 0.0.0.0 0.0.0.0

match ip inside any DMZ any

dynamic translation to pool 10 (172.254.0.1 [Interface PAT])

translate_hits = 71, untranslate_hits = 0

Additional Information:

Dynamic translate 10.2.0.45/1025 to 172.254.0.1/31278 using netmask 255.255.255.

255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 10 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 10 (173.161.x.x [Interface PAT])

translate_hits = 24624010, untranslate_hits = 3677654

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,outside) 173.161.x.x 172.254.0.3 netmask 255.255.255.255

match ip DMZ host 172.254.0.3 outside any

static translation to 173.161.x.x

translate_hits = 33072, untranslate_hits = 116762

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 29703193, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

 

 

Hit Counter   This web is provided "AS IS" with no warranties.
Copyright © 2002-2013 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.