cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1394
Views
9
Helpful
12
Replies

Setting up DMZ on ASA

samirshaikh52
Level 2
Level 2

Hi Community,

I've an Cisco ASA 5520 with following interfaces setup:

Outside (0) 78.93.*.*

Inside ( 100) 10.1.2.20

Now I am planning to setup dmz and there will be webserver in that zone

I need help for two things:

1. How do I allow people accessing this webserver from Public Network

2, How do I allow only my pc residing in inside network to access this server and vice versa


Any will would be highly appreciated.

1 Accepted Solution

Accepted Solutions

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

View solution in original post

12 Replies 12

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

Thanks for the prompt response

nat (inside) 1 0 0

global (dmz) 1 interface

This will allow all inside hosts to commucate with dmz server,

But in my case, I want to allow single host (that is my pc ) to communicate with  this server.

To allow a single PC instead of having:

nat (inside) 1 0 0

global (dmz) 1 interface

You change it to this:

nat (inside) 1 x.x.x.x 255.255.255.255

global (dmz) 1 interface

Replace x.x.x.x with the IP.

Federico.

What would happen if i make  static NAT ?

You can create a static NAT:

Assuming your inside IP is 10.0.0.1

static (inside,dmz) 10.0.0.1 10.0.0.1

Static NAT is normally done for inbound access (from a lower security interface to a higher security)

Regular NAT is normally done for outbound traffic (that's why I gave you the example).

Short answer is... either way will work.

Problem with static NAT is that the DMZ will have access to initiate traffic to your PC (if allowed by ACL)


Federico.

I have heard something about Exempt NAT. Perhaps I didn't got any idea from web.

Please can you explain with simple example

Thanks for your help

Exempt NAT is NAT 0 with ACL

Allows you to define which traffic to bypass NAT and it has the highest preference in the NAT priority check done by the ASA.

Normally used to bypass NAT for VPN traffic

ie.

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

The above will allow traffic to flow between both networks with NAT.

If you do the example of the static...

static (inside,dmz) 10.0.0.1 10.0.0.1

then you are allowing traffic to pass with NAT as well (this is static Identity NAT because you're not really translating the address anyway).

Federico.

If i am not wrong, can I  just create an ACL to allow traffic from inside to dmz without NAT...Is is possible to make it ?

Yes.

Depending on the version.

If you have nat-control enabled (can check it with sh run nat-control) then you MUST have a NAT rule for the ASA to allow traffic to pass between interfaces.

If you disable nat-control, then you can pass traffic without NAT.

However, an ACL is not required to pass traffic from inside to dmz.

An ACL is required to pass traffic from a lower security to a higher security (like in the case from dmz to inside).

Federico.

This is what i have done after your great explanation

Static NAT

static (inside,dmz) 10.1.2.18 10.1.2.18  netmask 255.255.255.255

Created an ACL to allow the traffice from dmz to inside

access-list DMZ-1_access_in line 2 extended permit tcp host 172.16.1.X object-group MYPC object-group sqlnet

Remember the important rules:

Traffic from higher security to lower security
requires NAT (if having nat-control)

Traffic from lower security to higher security
requires STATIC NAT and ACL

If you already have an ACL applied to an interface, i.e. inside,
then all traffic that should be permitted must be explicitly defined.

If you really understand the above, you're done (for the basics).

Federico.

Thank you so much to all clear all my doubts

Thats was quiter helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: