Inside host to DMZ host access

Answered Question
Jan 26th, 2010
User Badges:

By default traffic from higher security-level interface is allowed to go to lower security-level interface, I assumed that this would allow a host on the inside network to access a host in the dmz straight out of the box. It dosen't work.


I need the inside host to pull some log files from a server in the dmz to the inside network for processing. Can anyone give me some advice on the steps required to do this please.



inside network host = 172.24.35.201

dmz host = 10.0.0.2


This is the last remaining requirement, all my external access to the dmz is working correctly. I think I'm just misunderstanding the traffic flow from high to low.


Regards


David

Correct Answer by Jon Marshall about 7 years 4 months ago

davidjennings19 wrote:


By default traffic from higher security-level interface is allowed to go to lower security-level interface, I assumed that this would allow a host on the inside network to access a host in the dmz straight out of the box. It dosen't work.


I need the inside host to pull some log files from a server in the dmz to the inside network for processing. Can anyone give me some advice on the steps required to do this please.



inside network host = 172.24.35.201

dmz host = 10.0.0.2


This is the last remaining requirement, all my external access to the dmz is working correctly. I think I'm just misunderstanding the traffic flow from high to low.


Regards


David


David


You don't need an acl but you do need to do something about NAT assuming you are using  NAT.


Easiest way is just do a static ie.


static (inside,dmz) 172.24.35.201 172.24.35.201 netmask 255.255.255.255


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 01/26/2010 - 02:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

davidjennings19 wrote:


By default traffic from higher security-level interface is allowed to go to lower security-level interface, I assumed that this would allow a host on the inside network to access a host in the dmz straight out of the box. It dosen't work.


I need the inside host to pull some log files from a server in the dmz to the inside network for processing. Can anyone give me some advice on the steps required to do this please.



inside network host = 172.24.35.201

dmz host = 10.0.0.2


This is the last remaining requirement, all my external access to the dmz is working correctly. I think I'm just misunderstanding the traffic flow from high to low.


Regards


David


David


You don't need an acl but you do need to do something about NAT assuming you are using  NAT.


Easiest way is just do a static ie.


static (inside,dmz) 172.24.35.201 172.24.35.201 netmask 255.255.255.255


Jon

davidjennings19 Tue, 01/26/2010 - 11:26
User Badges:

Thanks


I managed to get it going today by doing exactly what you have suggested. I don't fully understand why I need to do this as I thought the traffic would just be routed from the higher security level to the lower one.


I assumed I'd only need NAT/PAT if I wanted to change the IP to a global, outside IP.


David

Jon Marshall Tue, 01/26/2010 - 11:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

davidjennings19 wrote:


Thanks


I managed to get it going today by doing exactly what you have suggested. I don't fully understand why I need to do this as I thought the traffic would just be routed from the higher security level to the lower one.


I assumed I'd only need NAT/PAT if I wanted to change the IP to a global, outside IP.


David

David


Glad you got it working.


The NAT thing is an idiosyncracy of the ASA/Pix. Unless you have turned off NAT altogether with "no nat-control" then even if you don't want to actually change the IP which is what most people think of NAT with Cisco firewalls you still need to tell it that ie. you want the same address on the DMZ as it is on the inside.


Like i say i haven't seen this behaviour on other vendors firewalls.


Jon

Kureli Sankar Tue, 01/26/2010 - 20:27
User Badges:
  • Cisco Employee,

Well, if you have "no nat-control" then, you do not need any translation to go from inside to dmz or inside to outside.


But, if you apply nat/global from inside to outside and if this host that needs to access the dmz is included in this nat/global to the outside then, you need to start providing translation for all the interfaces that this inside host will be going to.


For example if the inside host is 192.168.1.1 and you have

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface


Now, if you have the above two lines in the config then, you need to provide translation for 192.168.1.1 when it goes to dmz1, dmz2 or any other interface even when you have "no nat-control"


If you do not have the above two lines then, with "no nat-control" you just don't need any translation to go from inside to outside, inside to dmz1, inside to dmz2 etc. This behaviour is only for the PIX/ASA.


It is different on the FWSM.  The FWSM will not require static for inside to dmz even when you have nat/global for inside to outside when "no nat-control" is present.  I hope I haven't confused you too much.


-KS

Actions

This Discussion