Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums| Services | About Us | Careers | Quick Setup | Contact Us|
|
|
Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums| Services | About Us | Careers | Quick Setup | Contact Us| |
|
Allow all VLANs access DMZ in Cisco ASA Situation: A client have multiple VLANs in tier network. They setup rule on Cisco ASA to allow LAN 1 to access the DMZ only. Now, they want to allow all VLANs to be able to access the DMZ. Resolution: run this commands conf t global (DMZ) 10 interface Or run ASDM and NAT Rule as shown below. 
Then use pac to check the status as shown below. ASA5510# pac in inside tcp 10.2.0.45 1025 172.254.0.3 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 172.254.0.0 255.255.255.0 DMZ Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any DMZ any dynamic translation to pool 10 (172.254.0.1 [Interface PAT]) translate_hits = 71, untranslate_hits = 0 Additional Information: Dynamic translate 10.2.0.45/1025 to 172.254.0.1/31278 using netmask 255.255.255. 255 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 10 (173.161.x.x [Interface PAT]) translate_hits = 24624010, untranslate_hits = 3677654 Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: static (DMZ,outside) 173.161.x.x 172.254.0.3 netmask 255.255.255.255 match ip DMZ host 172.254.0.3 outside any static translation to 173.161.x.x translate_hits = 33072, untranslate_hits = 116762 Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 29703193, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow
|
|
|
This web is provided "AS IS" with no warranties.
Copyright © 2002-2013
ChicagoTech.net,
All rights reserved. Unauthorized reproduction forbidden.