×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

shifting the servers from inside to DMZ

Unanswered Question
Jul 19th, 2009
User Badges:

Hi all,

i have to make DMZ in my network already my servers are working in inside network, but now i have to shift these server to DMZ,

kindly look at my configuration and guide me with configuration how i can achieve this goal. Thanks

********************


ASA Version 8.0(4)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/3

description LAN Failover Interface

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777

access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

access-list inside_access_all extended permit ip any any

access-list DMZ_access_all extended permit icmp any any

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_all in interface Inside

access-group DMZ_access_all in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

: end

ASA#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jithesh K Joy Tue, 07/21/2009 - 05:52
User Badges:

Hi,


With this conf you wll not be able to access your servers from outside.

hussain.ratlami Tue, 07/21/2009 - 06:21
User Badges:

Hi,


I think the following lines are confusing:-


access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

access-list inside_access_all extended permit ip any any

access-list DMZ_access_all extended permit icmp any any

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


Can you tell me what are you planning to use this lines for???


to have your inside n/w access DMZ just enter below commands and it will work you dont need any other thing:


access-list inside_nat0 extended permit ip any 192.168.100.0 255.255.255.0


nat(inside) 0 access-list inside_nat0


thts it this will server ur purpose and you will be able to access DMZ frm Inside


and to access DMZ frm Outside you need to create Static\Dynamic Natting as required.


Regards,

Hussain

Actions

This Discussion