ssh denied to dmz.....

[GM2005]

I have a problem with basic access through an ASA 5505 SEC bundle with DMZ enabled. The symptoms are:

ssh to 10.10.10.83 works to 192.168.50.1 inside
1433 from 192.168.50.129 dmz works to 192.168.50.1 inside
ssh and 80 to 10.10.10.82 denied 192.168.50.129 dmz

I cannot see why. Am I missing the obvious?

-------------------------------------------------

interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.126 255.255.255.128

interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.81 255.255.255.240

interface Vlan3
nameif dmz
security-level 50
ip address 192.168.50.254 255.255.255.128

access-list outside_access_in extended permit tcp any host 10.10.10.82 eq 22
access-list outside_access_in extended permit tcp any host 10.10.10.82 eq 80
access-list outside_access_in extended permit tcp any host 10.10.10.83 eq 22
access-list dmz_access_in extended permit tcp 192.168.50.128 any eq 1433

static (dmz,outside) 10.10.10.82 192.168.50.129
static (inside,outside) 10.10.10.83 192.168.50.1
static (dmz,inside) 192.168.50.1 192.168.50.1

access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

interface ethernet 0/0
switchport access vlan 2

interface ethernet 0/1
switchport access vlan 1

interface ethernet 0/2
switchport access vlan 3

 

[North323]

you need to expand this acl to cover ssh and port 80
access-list dmz_access_in extended permit tcp 192.168.50.128 any eq 1433

 

[GM2005]

Thanks for that. It was a stupid mistake that was causing the traffic to the DMZ from outside to fail. The DMZ security level was 0........... I typed part of the config sample and ASSumed I had set the DMZ to 50.