DMZ configuration

Unanswered Question
Jan 19th, 2009

I'm new to firewall configurations so I need a little clarity. I have an asa setup. My internal network is 192.168.0.0/24 and my dmz network is 10.0.0.0 /24. Now I need to know how to configure access from my internal network to my dmz network. We have a webserver and an ftp server on the same box there. I also have statics setup for outside access. I need to see an example DMZ acl and for some to explain it to me because I can't find documentation for it anywhere on the cisco site.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sdoremus33 Mon, 01/19/2009 - 14:03

Start with this page

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#DMZ2inside

So if your internal network is 192.168.0.0 and the dmx is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

so in your case it would be

nat (inside) 1 192.168.0.0 /* This is the inside subnet that needs to xlated and appear as a host on the 10.0.0.0 DMZ network

global (dmz) 1 interface /* This will take the src traffic (inside subnet) and xlate or present the src as the interface of the dmz subnet which will allow you to access the devices within your dmz.HTH

Since you are traversing from a higher security interface to a lower interface you do not need an ACL to specify the traffic,however if you require traffic from an outsideor dmz host access to insode resources then you will nedd an ACL first to permit the traffic then specify the static translation that will be stored in your xlate table

sdoremus33 Mon, 01/19/2009 - 14:10

So if your internal network is 192.168.0.0 and the dmz is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

ASA-Device name(config)# nat (inside) 1 192.168.0.0 255.255.0.0

ASA-Device-name(config)# global (DMZ) 1 interface. HTH

chevymannie Mon, 01/19/2009 - 14:19

Cool, so how would an acl for the dmz look for accessing a web server?

sdoremus33 Mon, 01/19/2009 - 18:13

So if you want to create an access-list in this situation where insode hosts access a server on the DMZ I believe you do the following not 100% sure though.

1. Create access-list for traffic

access-list insidetodmz permit tcp 192.168.0.0 255.255.0.0 (ip address of server on DMZ)eq 80

2. create the static nat entry baesd upon the acl

static (inside,dmz) (ip address of serveron dmz)(ip address of server on dmz) -- This is referred to as identity Nat

The reason I am doing identity Nat is because when you specified the traffic in the acl you are basically saying permit traffic source from (src) subnet 192.168.0.0 to (dst) ip address of server on DMZ.

Next what you have to do is use a static nat translation ( This basically adds an xlate entry in the database, also a conn entry is created to xlate traffic from the inside to the dmz), and because the acl permits traffic from 192.168.0.0 to (Nat server address), you are basically hiding your inside subnet(192.16.0.0) and presenting it as (ip address of the DMZ server you want to access).HTH

sdoremus33 Mon, 01/19/2009 - 18:59

I just wanted to make a couple more suggestions here

This step:incorporating acl + nat static cmd

So if your internal network is 192.168.0.0 and the dmz is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

ASA-Device name(config)# nat (inside) 1 192.168.0.0 255.255.0.0

ASA-Device-name(config)# global (DMZ) 1 interface. HTH

is not mutually exclusive with my last suggestion (acl + static nat)

So either do one or the other in your configuration as it will lead to undesireable results.

Also you need to keep in my mind the order in which nat statements occur, excerptr from cisco Pix book

If you configure several address translation operations, you might have some overlap between them. For example, the same local address might appear in more than one NAT definition. To resolve any ambiguity, the firewall evaluates the various types of NAT in the following order before creating an xlate entry:

NAT exemptions (nat 0 access-list commands)

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

Policy NAT (nat nat_id access-list commands)

Dynamic NAT and PAT (nat nat_id commands)

sdoremus33 Mon, 01/19/2009 - 19:03

One last note: forgotr to mention.

If you configure a static translation ie.....

static (inside,outside) x.x.x.x y.y.y.y where x.x.x.x = outside y.y.y.y = inside, it will create an xlate entry for both invound and outbound access.

Actions

This Discussion