Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
0
Helpful
4
Replies

ASA 5505 From DMZ server to Inside server

Go to solution
DelWoodcock
Level 1
Level 1

‎01-04-2017 01:50 PM - edited ‎03-12-2019 01:44 AM

I have a web server on the DMZ that I need to have a specific port (8000) accessing the same port on and INSIDE app server. I have searched and only come up with older examples of configurations and I am running version 9.2(4).

Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎01-04-2017 02:42 PM

Hi,

If you don't need NAT for that connection then there's really nothing to it, you just need to update the DMZ ACL since you're currently blocking all the traffic going to the inside.

Maybe I'm missing something and you want to elaborate on what the requirement is...

__ __

Pablo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎01-04-2017 02:42 PM

Hi,

If you don't need NAT for that connection then there's really nothing to it, you just need to update the DMZ ACL since you're currently blocking all the traffic going to the inside.

Maybe I'm missing something and you want to elaborate on what the requirement is...

__ __

Pablo

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-04-2017 03:02 PM

Are you after outside user being able to access two servers? one server in the DMZ, the other server on INSIDE?     i.e.  Port redirection  (static PAT)?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
MANI .P
Level 1
Level 1

‎01-05-2017 02:04 AM

Hi ,

I understand that , you have a web server at DMZ . This server outside users are access thru https port . similarly you  want ? . you have app server at inside Zone , so outside users will access the app server thru port 8000 that will re-direct to app server ( local Ip with port 80 ) ?

 
okay .

 
for example :


my app server Inside Zone ip 10.10.10.100 allow 80 port .

My app server assign public ip 1.1.1.1  (when outside users try 1.1.1.1 with port 8000 redirect to 10.10.10.100 port  80 ) 


# object network APP_SRV

#host 10.10.10.100


#object network NAT_IP

#host 1.1.1.1


#object network any_0

#subnet 0 0 


#object service PORT-8000  ( Mapped port )

#service tcp source eq 8000

#object service PORT-80    (my inside App server port )

#service tcp source eq 80

#nat (inside,outside) source static APP_SRV NAT_IP destination static  any_0   any_0 service PORT-80    PORT-8000

Allow ACL to inside interface 

# access-list outside_access_in extended permit tcp any host  APP_SRV

Rate if this helps you .

Thanks,

Mani.

------------------------------------------------------------------------------------------------------------

0 Helpful

Go to solution
DelWoodcock
Level 1
Level 1

‎01-05-2017 10:21 AM

Added the following line to the dmz_acl and it worked:

access-list dmz_acl extended permit tcp host 192.168.1.100 host 10.10.10.214 object-group Activity

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card