Access from dmz to internet, where internet and inside lan are on same interface

Unanswered Question
Aug 6th, 2010

I have a scenerio, my outside and inside network are connected via inside interface of my firewall pix. And dmz is connected via dmz. Inside has security level 100 and dmz has 40,

from dmz i can access inside lan, but not able to access internet. KIndly help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Fri, 08/06/2010 - 06:05

Hello,

Do you have NAT rules configured to access internet from DMZ?

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

In the above example, the outside interface IP address will be shared by

both the inside and dmz clients when going to internet. Please make sure

that you have something similar configured. Also you need to check the

following things:

-- There are no access-list entries on the DMZ to block internet connection

-- You have access to the DNS server (if DNS server is on the inside subnet,

please configure a static NAT rule for the DNS server)

-- If you are using ASA5505 with base license, you will not be able to

communicate between the inside and outside simultaneously.

Hope this helps,

Regards,

NT

ashish_kandari Fri, 08/06/2010 - 06:16

but i dont have any outside interface configured.....

Outside- router---inside --firewall---dmz.

Outside and inside are on same side of firewall...

this config :

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

I thnk as traffic is movig from lower to higher security level, we need a static nat.

But how can i use a static nat for all internet address, there is no option of wild card in static nat..

thanks in advance..

ashish

Nagaraja Thanthry Fri, 08/06/2010 - 06:26

Hello,

In that case, you can disable NAT control and remove the existing NAT

configurations.

ASA#configure terminal

ASA(config)#no nat-control

ASA(config)#clear configure nat

ASA(config)#clear configure global

ASA(config)#clear configure static

Since you have disabled the NAT requirement, all traffic will go to your

outside router without any NAT. Make sure that the outside router has a rule

to accommodate DMZ subnets in the NAT pool.

Hope this helps.

Regards,

NT

ashish_kandari Fri, 08/06/2010 - 06:30

i can check that, but for that i will need down time... as some connection will also dro

p.. second thing.... for traffic from lower to higher security level, dont we need static nat. ......

Nagaraja Thanthry Fri, 08/06/2010 - 06:40

Hello,

You do not need any NAT rule when you are going from lower security

interface to higher security interface.

Regards,

NT

ashish_kandari Fri, 08/06/2010 - 06:06

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255 0 0

nat (dmz) 2 10.2.1.2 255.255.255.248 0 0
nat (dmz) 2 10.2.3.0 255.255.255.224 0 0
nat (dmz) 2 10.7.1.32 255.255.255.224 0 0
global (inside) 2 interface

will this help...

Nagaraja Thanthry Fri, 08/06/2010 - 06:12

Hello,

Few concerns:

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This statement seems to be incorrect.

global (inside) 2 interface

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless

they are some servers. If you were trying to map the DNS server, your first

statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes

care of it.

Hope this helps.

Regards,

NT

ashish_kandari Fri, 08/06/2010 - 06:20

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This is becoz..dmz and inside are using approx same kind of ip range means.. 10.*.*

becoz of this command access from dmz to inside is possible, but not towards internet......

In my firewall outside interface traffic is not even reaching,.. its getting dead before it.. some natting issue.



This statement seems to be incorrect.

global (inside) 2 interface

want to so that it will take inside ip addresss to go to internet...

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless
they are some servers. If you were trying to map the DNS server, your first
statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes
care of it.

Actions

This Discussion