Allow access from inside to DMZ

Unanswered Question
Mar 18th, 2007
User Badges:
  • Gold, 750 points or more

Hi guys,


I am having a little confusion,right now i want to allow access from one of my servers in the internal network to a sever located in dmz.What i am confused about is that do i have to create a static translation or if i configure a global statement for dmz will it be enough as it is going to permit access from the inside hosts.

Please advice.


Thanks

Mahmood


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
mahmoodmkl Sun, 03/18/2007 - 03:16
User Badges:
  • Gold, 750 points or more

HI guys


any replies..........


Mahmood

Jon Marshall Sun, 03/18/2007 - 03:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mahmood


It depends on the where the connection is initiated from.


If you were connecting from the DMZ to the inside you would need a static translation.


If you are intiating from the inside to the DMZ then you wcan do this wil dynamic nat


eg nat (inside) 1 0.0.0.0 0.0.0.0

global (DMZ) 1 interface


obviously your NAT statement does not have to be 0.0.0.0 0.0.0.0 - you can be more specific.


Static translations are needed when you go from a lower to higher security interface.


Hope this makes sense


Jon

mahmoodmkl Sun, 03/18/2007 - 03:25
User Badges:
  • Gold, 750 points or more

Hi jon


Thts what was confusing me as i want to allow connections from inside,btw if i configured the global command will all the traffic will be permitted between the inside and dmz interfaces e.g remote desktop and some backup applications.


Thanks



Jon Marshall Sun, 03/18/2007 - 03:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahmood


If you configure the nat and global commands as per my other post yes this would allow any inside machine to get to the DMZ.


You can limit this by either


1) being more specific on the NAT

2) having an access-list on the inside interface that restricts which machines can get through to the DMZ.


HTH


Jon

mahmoodmkl Sun, 03/18/2007 - 03:52
User Badges:
  • Gold, 750 points or more

Hi


I didnt get what do u mean by being more specific on NAT.Can u please elobrate.


2 option i can understand it.

Jon Marshall Sun, 03/18/2007 - 08:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


nat (inside) 1 0.0.0.0 0.0.0.0


means translate all addresses from the inside. You could tie it down to a subnet or subnets for example


nat (inside) 1 192.168.1.0 255.255.255.0



If you already use a nat (inside) 1 to for inside to outside traffic you can use other numbers eg.


This is for normal inside to outside traffic


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


This would be for your DMZ traffic


nat (inside) 2 192.168.1.0 255.255.255.0

global (DMZ) 2 interface


You can use multiple entries on your nat statements ie.


nat (inside) 2 192.168.1.0 255.255.255.0

nat (inside) 2 192.168.2.10 255.255.255.255

etc...


and map them to one global


global (DMZ) 2 interface


You can also use an access-list with your NAT statement if you needed to be more specific than just a subnet range.


Note, in all examples i hve made the global statements use the "interface" option. You don't have to do this, you can map the IP addresses to another IP or set of IP's if you want.


HTH


Jon

Actions

This Discussion