ASA 5540

Post a reply

In an effort to prevent automatic submissions, we require that you complete the following challenge.
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review

Expand view Topic review: ASA 5540

Re: ASA 5540

by sourav kakkar » Mon Jul 18, 2011 3:40 am


Here is my understanding of the issue:

You have LAN segment (let) and DMZ (let). You have nat-control on the ASA and access from LAN to DMZ is fine as you have PAT configured for the same. Now to set up access from the DMZ to LAN you will need to configure static NAT for hosts on LAN which you need to access from DMZ and also open the access-list on DMZ interface to allow traffic whichever you need as follows:

To allow only RDEP (TCP 3389) access to one machine on LAN let say from DMZ and deny everything else to it, at the same time traffic from DMZ to any low security interface is unaffected:

static (LAN,DMZ) netmask

access-list DMZ_access_in permit tcp host eq 3389
access-list DMZ_access_in deny ip host
access-list DMZ_access_in permit ip any any
access-group DMZ_access_in in interface DMZ

Now if you need to open all access from DMZ to LAN:

static (LAN,DMZ) netmask

access-list DMZ_access_in permit ip any any
access-group DMZ_access_in in interface DMZ

Hope this helps!

Sourav Kakkar

Re: ASA 5540

by john » Wed Jun 01, 2011 12:23 pm


You will need an acl that allows traffic to flow from the server to the LAN

Code: Select all

access-list outside_access_in extended permit tcp (source)x.x.x.x (deination) host x.x.x.x (port)

Using the web interface it is really easy to allow traffic from one server to another in the firewall section.


Re: ASA 5540

by NgocNgao » Sun May 29, 2011 7:34 pm

Thanks !

can you detail ?

You can see my file config at last poste " NAT and Access-list in Asa 5540 "

Re: ASA 5540

by john » Sun May 29, 2011 4:30 pm

I was just in vietnam in october!!

You would have to make a ACL to allow the traffic from the less secure port to the more secure port.


ASA 5540

by NgocNgao » Sat May 28, 2011 9:18 pm

Hello every body,

I'm a beginner with ASA5540 . I'm from VietNam.
I posted my topic but no one reply :(.

My problem is how do i can access LAN from DMZ. Normally, area LAN can access area DMZ, on the contrary not
. I'm use nat-control for pat whole LAN by DMZ interface.
Can someone answer me ??

Thanks so much !