Configure another public IP address and DMZ configuration

Unanswered Question
Oct 20th, 2008
User Badges:

Here is my network Diagram and my questions:

Router 2821 G0/0 Port connected to F0/0 Firewall ASA 5510 ( outside Network ) configured with static Public IP address ( 209.x.x.10)

Firewall F0/2 ( DMZ) Connected to Switch 3560- 172.16.3.254

Switch 3560 configured to hold many couple of VLANS.


I have already connected my WebServer to Switch and connect it to the right VLAN, I know that because I can ping from ASA Firewall ( DMZ interface ) to the webServer ( 172.16.2.10)


MY ISP provided me many Public IP address, and I want to use another IP address ( 209.x.x.11) and configured it on Firewall, so when people ( outside ) type this IP address from their IE, it will be forwarded to DMZ webServer.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ray_stone Mon, 10/20/2008 - 13:02
User Badges:

Hi,


The Trunk port must be enabled in between FW and switch. Use the following commands:


First map local IP with Static Public IP

static (Inside,outside) 209.*.*.11 172.16.2.10 netmask 255.255.255.255


Second make a access list on outside Int for incoming web traffic from outide to inside network.


access-list outside_access_in extended permit tcp any host 209.*.*.11 eq www


access-group outside_access_in in interface outside


Please rate if it helps

khalid_heet Mon, 10/20/2008 - 15:14
User Badges:

Hi Ray_Stone. Thanks but i need from you to review the below running-config:

As you can see that that there is already i have appliance in DMZ and i need to add that web server to that DMZ with different public IP address.


Running-Config:

access-list inbound extended permit tcp any host 209.x.x.9 eq www

access-list inbound extended permit tcp any host 209.x.x.9 eq smtp

access-list inbound extended permit tcp any host 209.x.x.9 eq https

access-list inbound extended permit icmp any host 209.x.x.10 echo-reply

access-list DMZIN extended permit tcp host 172.16.3.3 host 172.16.1.4 eq smtp

access-list DMZIN extended permit tcp host 172.16.3.3 host 172.16.1.2 eq ldap

access-list DMZIN extended permit udp host 172.16.3.3 any eq domain

access-list DMZIN extended permit icmp host 172.16.3.3 any

access-list DMZIN extended permit udp host 172.16.3.3 any eq ntp

access-list DMZIN extended permit tcp host 172.16.3.3 any eq www

access-list DMZIN extended permit tcp host 172.16.3.3 any eq 8000

access-list DMZIN extended permit udp any host 172.16.1.2 eq ntp

access-list DMZIN extended permit udp any host 172.16.65.2 eq ntp

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.99.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 172.16.65.0 255.255.255.0 192.168.99.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.99.0 255.255.255.240

access-list marketingin extended deny tcp any any eq telnet

access-list marketingin extended deny tcp any any eq ssh

access-list marketingin extended deny tcp any any eq 3389

access-list marketingin extended permit icmp any any

access-list marketingin extended permit icmp any any echo

access-list marketingin extended permit icmp any any echo-reply

access-list marketingin extended permit ip 192.168.49.0 255.255.255.0 any

access-list marketingin extended permit udp any host 172.16.1.2 eq ntp

access-list marketingin extended permit udp any host 172.16.65.2 eq ntp

access-list usersin extended deny tcp any any eq telnet

access-list usersin extended deny tcp any any eq ssh

access-list usersin extended permit udp 192.168.10.0 255.255.255.0 host 172.16.65.2 eq bootps

access-list usersin extended deny ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list usersin extended permit ip 192.168.10.0 255.255.255.0 any

access-list usersin extended permit udp any host 172.16.65.2 eq ntp

access-list usersin extended permit udp any host 172.16.1.2 eq ntp

global (outside) 1 interface

global (outside) 2 209.x.x.9 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 172.16.1.4 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 172.16.3.3 255.255.255.255

static (DMZ,outside) tcp 209.x.x.9 smtp 172.16.3.3 smtp netmask 255.255.255.255

static (inside,outside) tcp 209.x.x.9 https 172.16.1.4 https netmask 255.255.255.255

static (inside,outside) tcp 209.x.x.9 www 172.16.1.4 www netmask 255.255.255.255

static (inside,DMZ) 172.16.1.4 172.16.1.4 netmask 255.255.255.255

static (DMZ,inside) 172.16.3.3 172.16.3.3 netmask 255.255.255.255

static (inside,DMZ) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group inbound in interface outside

access-group DMZIN in interface DMZ

access-group usersin in interface telecom

access-group marketingin in interface Employees

access-group sales in interface sales




I cut couple of statemnet because of limitation.sorry for that

Actions

This Discussion