Allow access from inside to DMZ

Unanswered Question
Mar 18th, 2007

Hi guys,

I am having a little confusion,right now i want to allow access from one of my servers in the internal network to a sever located in dmz.What i am confused about is that do i have to create a static translation or if i configure a global statement for dmz will it be enough as it is going to permit access from the inside hosts.

Please advice.

Thanks

Mahmood

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Sun, 03/18/2007 - 03:21

Hi Mahmood

It depends on the where the connection is initiated from.

If you were connecting from the DMZ to the inside you would need a static translation.

If you are intiating from the inside to the DMZ then you wcan do this wil dynamic nat

eg nat (inside) 1 0.0.0.0 0.0.0.0

global (DMZ) 1 interface

obviously your NAT statement does not have to be 0.0.0.0 0.0.0.0 - you can be more specific.

Static translations are needed when you go from a lower to higher security interface.

Hope this makes sense

Jon

mahmoodmkl Sun, 03/18/2007 - 03:25

Hi jon

Thts what was confusing me as i want to allow connections from inside,btw if i configured the global command will all the traffic will be permitted between the inside and dmz interfaces e.g remote desktop and some backup applications.

Thanks

Jon Marshall Sun, 03/18/2007 - 03:36

Mahmood

If you configure the nat and global commands as per my other post yes this would allow any inside machine to get to the DMZ.

You can limit this by either

1) being more specific on the NAT

2) having an access-list on the inside interface that restricts which machines can get through to the DMZ.

HTH

Jon

mahmoodmkl Sun, 03/18/2007 - 03:52

Hi

I didnt get what do u mean by being more specific on NAT.Can u please elobrate.

2 option i can understand it.

Jon Marshall Sun, 03/18/2007 - 08:22

Hi

nat (inside) 1 0.0.0.0 0.0.0.0

means translate all addresses from the inside. You could tie it down to a subnet or subnets for example

nat (inside) 1 192.168.1.0 255.255.255.0

If you already use a nat (inside) 1 to for inside to outside traffic you can use other numbers eg.

This is for normal inside to outside traffic

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

This would be for your DMZ traffic

nat (inside) 2 192.168.1.0 255.255.255.0

global (DMZ) 2 interface

You can use multiple entries on your nat statements ie.

nat (inside) 2 192.168.1.0 255.255.255.0

nat (inside) 2 192.168.2.10 255.255.255.255

etc...

and map them to one global

global (DMZ) 2 interface

You can also use an access-list with your NAT statement if you needed to be more specific than just a subnet range.

Note, in all examples i hve made the global statements use the "interface" option. You don't have to do this, you can map the IP addresses to another IP or set of IP's if you want.

HTH

Jon

Actions

This Discussion