I have a web server that resides on my DMZ that needs to communicate bi-directionally with a couple of servers on my internal LAN. I have set up the NAT and ACLs but I am still not able to get communications working. Would somebody please be able to have a quick look at the config below and the attached diagram and point me in the right direction?
Based on the config, your DMZ is running on 10.1.0.0/24, while Inside is on 10.0.0.0/24.
Your ACL is only allowing DMZ's 10.1.0.27 to talk to Inside's 10.0.0.209 (via specified TCP/UDP ports).
Do the following to allow your DMZ's web server to communicate with Inside hosts using their own original/physical IP Address (NAT is not required). Apply ACL to control who can access what via any permitted TCP/UDP protocol.
Other option, say, if you map Inside's 10.0.0.209 to DMZ"s 10.1.0.27 with intention to allow other IP, example 10.1.0.100, in DMZ to access it, then your static map of "static (inside,dmz) 10.1.0.27 10.0.0.209 netmask 255.255.255.255 0 0" is correct (assuming I overlooked this).
Your static is mapping Inside's 10.0.0.209 to an unused DMZ's IP of 10.1.0.27, so that any hosts/servers in DMZ can access the Inside 10.0.0.209 server virtually as 10.1.0.27. This more or less like having the Inside server sitting in DMZ itself, and running on DMZ IP Address. This is TRUE if your DMZ need to first start/initiate the access.
Therefore, your access-list should be changed by replacing the 10.1.0.27 to IP Address of a server DMZ that really need to access the Inside host of 10.0.0.209 (but mapped as 10.1.0.27).
For example, assuming a DMZ server of 10.1.0.100 need to access the 10.0.0.209, then just changed the current (wrongly defined) 10.1.0.27 with 10.1.0.100. The 'host 10.0.0.209' was correct. Same goes to your static statement.
This option allows you to map entire Inside subnet to DMZ subnet without need to use NAT. In other words, DMZ and Inside are seeing each other using their own IP address/subnet.
Basically, you're now able to connect from DMZ to Inside using Inside own IP Address, while Inside, at the same time, able to start/connect to DMZ using DMZ's original IP. You only need ACL to restict who can access what via what port on both side.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :