03-18-2007 02:20 AM - edited 03-05-2019 02:58 PM
Hi guys,
I am having a little confusion,right now i want to allow access from one of my servers in the internal network to a sever located in dmz.What i am confused about is that do i have to create a static translation or if i configure a global statement for dmz will it be enough as it is going to permit access from the inside hosts.
Please advice.
Thanks
Mahmood
03-18-2007 03:16 AM
HI guys
any replies..........
Mahmood
03-18-2007 03:21 AM
Hi Mahmood
It depends on the where the connection is initiated from.
If you were connecting from the DMZ to the inside you would need a static translation.
If you are intiating from the inside to the DMZ then you wcan do this wil dynamic nat
eg nat (inside) 1 0.0.0.0 0.0.0.0
global (DMZ) 1 interface
obviously your NAT statement does not have to be 0.0.0.0 0.0.0.0 - you can be more specific.
Static translations are needed when you go from a lower to higher security interface.
Hope this makes sense
Jon
03-18-2007 03:25 AM
Hi jon
Thts what was confusing me as i want to allow connections from inside,btw if i configured the global command will all the traffic will be permitted between the inside and dmz interfaces e.g remote desktop and some backup applications.
Thanks
03-18-2007 03:36 AM
Mahmood
If you configure the nat and global commands as per my other post yes this would allow any inside machine to get to the DMZ.
You can limit this by either
1) being more specific on the NAT
2) having an access-list on the inside interface that restricts which machines can get through to the DMZ.
HTH
Jon
03-18-2007 03:52 AM
Hi
I didnt get what do u mean by being more specific on NAT.Can u please elobrate.
2 option i can understand it.
03-18-2007 08:22 AM
Hi
nat (inside) 1 0.0.0.0 0.0.0.0
means translate all addresses from the inside. You could tie it down to a subnet or subnets for example
nat (inside) 1 192.168.1.0 255.255.255.0
If you already use a nat (inside) 1 to for inside to outside traffic you can use other numbers eg.
This is for normal inside to outside traffic
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
This would be for your DMZ traffic
nat (inside) 2 192.168.1.0 255.255.255.0
global (DMZ) 2 interface
You can use multiple entries on your nat statements ie.
nat (inside) 2 192.168.1.0 255.255.255.0
nat (inside) 2 192.168.2.10 255.255.255.255
etc...
and map them to one global
global (DMZ) 2 interface
You can also use an access-list with your NAT statement if you needed to be more specific than just a subnet range.
Note, in all examples i hve made the global statements use the "interface" option. You don't have to do this, you can map the IP addresses to another IP or set of IP's if you want.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide