There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet.
The information of the IP address is as below :
Inside edge of the edge router : 192.168.20.2/24
Outside Network of Firewall ASA5505 : 192.168.20.0/24 with security level of 20
Outside Interface of the Firewall ASA5505 : 192.168.20.1/24
DMZ Network of the Firewall ASA5505 : 192.168.50.0/24 with secutity level of 50
Host at the DMZ : 192.168.50.10/24 with defination with the name of DMZ_Host
Static Mapped address of the Host at the DMZ to Outside Network: 192.168.20.10/24
1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them?
access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 --> allow outside to access dmz
access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80 --> allow web server to access dmz host
static (dmz,outside) 192.168.20.10 192.168.50.10 netmask 255.255.255.255 --> static mapped the dmz host to outside mapped address
route outside 0.0.0.0 0.0.0.0 192.168.20.2 --> static route of dmz network to internet
access-group Outside_DMZ in interface Outside --> applied the access list to firewall outside interface
2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80
whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?
If you add the following: access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80
It could be a security thread as you will be allowing connection to the server on the DMZ from any on the outside unless this is what you are looking for ( access the server from anywhere on the outside)
Rate helpful posts!
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0
is not added in, can the Web_server still able to access to the DMZ_Host? This is because in my understanding that the Web_server with public IP address will only route to the outside network of the firewall by the edge router.
Is it a need to add the above command so that firewall can allow the routed IP of this Web_server to access to the DMZ-Host?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :