DMZ to Interal Network?

Unanswered Question
Jul 31st, 2007
User Badges:

Hey guys


I have 3 nets - an outside/29, an inside 10.0.0.1/24, and a DMZ 10.1.0.1/24. I would like a few servers in the DMZ to be able to talk to a few servers on the inside net, just a few ports. What is the correct way to establish this?


Thanks,

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
srue Tue, 07/31/2007 - 11:06
User Badges:
  • Blue, 1500 points or more

enable static commands as follows:

static (inside,dmz) 10.0.0.50 10.0.0.50

enable access-list on dmz interface:

access-list dmz_acl permit tcp host 10.1.0.5 host 10.0.0.50 eq 80

access-group dmz_acl in interface dmz


this is an example to enable dmz host at 10.1.0.5 to access 10.0.0.50 on the inside on tcp port 80.

acomiskey Tue, 07/31/2007 - 11:08
User Badges:
  • Green, 3000 points or more

Something like this will do the trick. Obviously the permit statements in the acl would be whatever you needed, I just used an example to allow the dmz to 3 inside hosts.


static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.255

access-list dmz permit ip any host 10.0.0.1

access-list dmz permit ip any host 10.0.0.2

access-list dmz permit ip any host 10.0.0.3

access-list dmz deny ip any 10.0.0.0 255.255.255.0

access-list dmz permit ip any any

access-group dmz in interface DMZ


The last 2 lines in the acl are important if you want the DMZ to be able to access the outside.


Please rate helpful posts.

srue Tue, 07/31/2007 - 11:15
User Badges:
  • Blue, 1500 points or more

oh yeah, don't forget those last two lines of acomiskey's config...VERY important. *slaps self for forgetting them*


these configs also assume nat-control is configured btw, if you're running 7.x.

Actions

This Discussion