07-31-2007 10:59 AM - edited 03-11-2019 03:51 AM
Hey guys
I have 3 nets - an outside/29, an inside 10.0.0.1/24, and a DMZ 10.1.0.1/24. I would like a few servers in the DMZ to be able to talk to a few servers on the inside net, just a few ports. What is the correct way to establish this?
Thanks,
Dan
07-31-2007 11:06 AM
enable static commands as follows:
static (inside,dmz) 10.0.0.50 10.0.0.50
enable access-list on dmz interface:
access-list dmz_acl permit tcp host 10.1.0.5 host 10.0.0.50 eq 80
access-group dmz_acl in interface dmz
this is an example to enable dmz host at 10.1.0.5 to access 10.0.0.50 on the inside on tcp port 80.
07-31-2007 11:08 AM
Something like this will do the trick. Obviously the permit statements in the acl would be whatever you needed, I just used an example to allow the dmz to 3 inside hosts.
static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.255
access-list dmz permit ip any host 10.0.0.1
access-list dmz permit ip any host 10.0.0.2
access-list dmz permit ip any host 10.0.0.3
access-list dmz deny ip any 10.0.0.0 255.255.255.0
access-list dmz permit ip any any
access-group dmz in interface DMZ
The last 2 lines in the acl are important if you want the DMZ to be able to access the outside.
Please rate helpful posts.
07-31-2007 11:12 AM
Awesome guys, thanks for the quick response!
07-31-2007 11:15 AM
oh yeah, don't forget those last two lines of acomiskey's config...VERY important. *slaps self for forgetting them*
these configs also assume nat-control is configured btw, if you're running 7.x.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide