×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

dmz to lan w/ NAT - config?

Answered Question
Nov 13th, 2006
User Badges:

customer on premises requires access to our network.


requirements:

provide internet access

restrict access to various servers

nat addresses


is there any config out there which will help with dmz to lan access?


thanks for any help.



Correct Answer by gbudd12345 about 10 years 9 months ago

Hello Tsrader,


Your config looks pretty good for the most part. Here are some changes I would make:


access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any


The TCP/UDP/ICMP are all encompassed by the IP statement, so they really aren't needed. However, you don't acutally apply that access-list to the inside interface, so by default, all traffic from the inside would be allowed to the gtadmz. If wanted to block traffic from the inside to the gtadmz, you might do this:


access-list inside_access_in deny ip any object-group customer_nets

access-list inside_access_in permit ip any any


This will only allow connections that originate from the gtadmz to the inside and return packets.


On the NAT/Global statements, those are correct. Any requests from the gtadmz will appear to be from the IP address of the inside interface of the firewall to the servers on the inside. If that is what you want, then it should work just fine.


Finally, the question about applying the access-list to the interface. What you put is in correct.


I hope this helps.


--Gavin Budd

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gbudd12345 Mon, 11/13/2006 - 14:10
User Badges:

Tsrader,


Are you looking for a base config that would allow some of this?


Something like:


nat (dmz) 1 10.10.5.0 255.255.252.0

global (inside) 1 interface


access-list dmz_access_in deny ip any host server_ip_address

access-list dmz_access_in deny ip any host another_server_ip_address

access-list dmz_access_in permit ip any any


access-group dmz_access_in in interface dmz


Does this help or do you need more detailed help?


Thanks


--Gavin Budd



tsrader Mon, 11/13/2006 - 20:41
User Badges:

see attached proposed config.

(diagram revised to reflect proper ip addressing)

tsrader Mon, 11/13/2006 - 20:40
User Badges:

diagram and proposed config attached.


thx for any input



Correct Answer
gbudd12345 Tue, 11/14/2006 - 15:10
User Badges:

Hello Tsrader,


Your config looks pretty good for the most part. Here are some changes I would make:


access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any


The TCP/UDP/ICMP are all encompassed by the IP statement, so they really aren't needed. However, you don't acutally apply that access-list to the inside interface, so by default, all traffic from the inside would be allowed to the gtadmz. If wanted to block traffic from the inside to the gtadmz, you might do this:


access-list inside_access_in deny ip any object-group customer_nets

access-list inside_access_in permit ip any any


This will only allow connections that originate from the gtadmz to the inside and return packets.


On the NAT/Global statements, those are correct. Any requests from the gtadmz will appear to be from the IP address of the inside interface of the firewall to the servers on the inside. If that is what you want, then it should work just fine.


Finally, the question about applying the access-list to the interface. What you put is in correct.


I hope this helps.


--Gavin Budd

Actions

This Discussion