Setting up DMZ on ASA

Answered Question
Sep 4th, 2010

Hi Community,

I've an Cisco ASA 5520 with following interfaces setup:

Outside (0) 78.93.*.*

Inside ( 100) 10.1.2.20

Now I am planning to setup dmz and there will be webserver in that zone

I need help for two things:

1. How do I allow people accessing this webserver from Public Network

2, How do I allow only my pc residing in inside network to access this server and vice versa


Any will would be highly appreciated.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 2 months ago

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Sat, 09/04/2010 - 17:00

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

Samir Shaikh Sat, 09/04/2010 - 17:07

Thanks for the prompt response

nat (inside) 1 0 0

global (dmz) 1 interface

This will allow all inside hosts to commucate with dmz server,

But in my case, I want to allow single host (that is my pc ) to communicate with  this server.

Federico Coto F... Sat, 09/04/2010 - 17:11

To allow a single PC instead of having:

nat (inside) 1 0 0

global (dmz) 1 interface

You change it to this:

nat (inside) 1 x.x.x.x 255.255.255.255

global (dmz) 1 interface

Replace x.x.x.x with the IP.

Federico.

Federico Coto F... Sat, 09/04/2010 - 17:18

You can create a static NAT:

Assuming your inside IP is 10.0.0.1

static (inside,dmz) 10.0.0.1 10.0.0.1

Static NAT is normally done for inbound access (from a lower security interface to a higher security)

Regular NAT is normally done for outbound traffic (that's why I gave you the example).

Short answer is... either way will work.

Problem with static NAT is that the DMZ will have access to initiate traffic to your PC (if allowed by ACL)


Federico.

Samir Shaikh Sat, 09/04/2010 - 17:25

I have heard something about Exempt NAT. Perhaps I didn't got any idea from web.

Please can you explain with simple example

Thanks for your help

Federico Coto F... Sat, 09/04/2010 - 17:30

Exempt NAT is NAT 0 with ACL

Allows you to define which traffic to bypass NAT and it has the highest preference in the NAT priority check done by the ASA.

Normally used to bypass NAT for VPN traffic

ie.

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

The above will allow traffic to flow between both networks with NAT.

If you do the example of the static...

static (inside,dmz) 10.0.0.1 10.0.0.1

then you are allowing traffic to pass with NAT as well (this is static Identity NAT because you're not really translating the address anyway).

Federico.

Samir Shaikh Sat, 09/04/2010 - 17:33

If i am not wrong, can I  just create an ACL to allow traffic from inside to dmz without NAT...Is is possible to make it ?

Federico Coto F... Sat, 09/04/2010 - 17:37

Yes.

Depending on the version.

If you have nat-control enabled (can check it with sh run nat-control) then you MUST have a NAT rule for the ASA to allow traffic to pass between interfaces.

If you disable nat-control, then you can pass traffic without NAT.

However, an ACL is not required to pass traffic from inside to dmz.

An ACL is required to pass traffic from a lower security to a higher security (like in the case from dmz to inside).

Federico.

Samir Shaikh Sat, 09/04/2010 - 17:47

This is what i have done after your great explanation

Static NAT

static (inside,dmz) 10.1.2.18 10.1.2.18  netmask 255.255.255.255

Created an ACL to allow the traffice from dmz to inside

access-list DMZ-1_access_in line 2 extended permit tcp host 172.16.1.X object-group MYPC object-group sqlnet

Federico Coto F... Sat, 09/04/2010 - 17:51

Remember the important rules:

Traffic from higher security to lower security
requires NAT (if having nat-control)

Traffic from lower security to higher security
requires STATIC NAT and ACL

If you already have an ACL applied to an interface, i.e. inside,
then all traffic that should be permitted must be explicitly defined.

If you really understand the above, you're done (for the basics).

Federico.

Actions

This Discussion