10-20-2008 12:47 PM - edited 03-11-2019 07:00 AM
Here is my network Diagram and my questions:
Router 2821 G0/0 Port connected to F0/0 Firewall ASA 5510 ( outside Network ) configured with static Public IP address ( 209.x.x.10)
Firewall F0/2 ( DMZ) Connected to Switch 3560- 172.16.3.254
Switch 3560 configured to hold many couple of VLANS.
I have already connected my WebServer to Switch and connect it to the right VLAN, I know that because I can ping from ASA Firewall ( DMZ interface ) to the webServer ( 172.16.2.10)
MY ISP provided me many Public IP address, and I want to use another IP address ( 209.x.x.11) and configured it on Firewall, so when people ( outside ) type this IP address from their IE, it will be forwarded to DMZ webServer.
10-20-2008 01:02 PM
Hi,
The Trunk port must be enabled in between FW and switch. Use the following commands:
First map local IP with Static Public IP
static (Inside,outside) 209.*.*.11 172.16.2.10 netmask 255.255.255.255
Second make a access list on outside Int for incoming web traffic from outide to inside network.
access-list outside_access_in extended permit tcp any host 209.*.*.11 eq www
access-group outside_access_in in interface outside
Please rate if it helps
10-20-2008 03:14 PM
Hi Ray_Stone. Thanks but i need from you to review the below running-config:
As you can see that that there is already i have appliance in DMZ and i need to add that web server to that DMZ with different public IP address.
Running-Config:
access-list inbound extended permit tcp any host 209.x.x.9 eq www
access-list inbound extended permit tcp any host 209.x.x.9 eq smtp
access-list inbound extended permit tcp any host 209.x.x.9 eq https
access-list inbound extended permit icmp any host 209.x.x.10 echo-reply
access-list DMZIN extended permit tcp host 172.16.3.3 host 172.16.1.4 eq smtp
access-list DMZIN extended permit tcp host 172.16.3.3 host 172.16.1.2 eq ldap
access-list DMZIN extended permit udp host 172.16.3.3 any eq domain
access-list DMZIN extended permit icmp host 172.16.3.3 any
access-list DMZIN extended permit udp host 172.16.3.3 any eq ntp
access-list DMZIN extended permit tcp host 172.16.3.3 any eq www
access-list DMZIN extended permit tcp host 172.16.3.3 any eq 8000
access-list DMZIN extended permit udp any host 172.16.1.2 eq ntp
access-list DMZIN extended permit udp any host 172.16.65.2 eq ntp
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.99.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.16.65.0 255.255.255.0 192.168.99.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.99.0 255.255.255.240
access-list marketingin extended deny tcp any any eq telnet
access-list marketingin extended deny tcp any any eq ssh
access-list marketingin extended deny tcp any any eq 3389
access-list marketingin extended permit icmp any any
access-list marketingin extended permit icmp any any echo
access-list marketingin extended permit icmp any any echo-reply
access-list marketingin extended permit ip 192.168.49.0 255.255.255.0 any
access-list marketingin extended permit udp any host 172.16.1.2 eq ntp
access-list marketingin extended permit udp any host 172.16.65.2 eq ntp
access-list usersin extended deny tcp any any eq telnet
access-list usersin extended deny tcp any any eq ssh
access-list usersin extended permit udp 192.168.10.0 255.255.255.0 host 172.16.65.2 eq bootps
access-list usersin extended deny ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list usersin extended permit ip 192.168.10.0 255.255.255.0 any
access-list usersin extended permit udp any host 172.16.65.2 eq ntp
access-list usersin extended permit udp any host 172.16.1.2 eq ntp
global (outside) 1 interface
global (outside) 2 209.x.x.9 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 172.16.1.4 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 172.16.3.3 255.255.255.255
static (DMZ,outside) tcp 209.x.x.9 smtp 172.16.3.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 209.x.x.9 https 172.16.1.4 https netmask 255.255.255.255
static (inside,outside) tcp 209.x.x.9 www 172.16.1.4 www netmask 255.255.255.255
static (inside,DMZ) 172.16.1.4 172.16.1.4 netmask 255.255.255.255
static (DMZ,inside) 172.16.3.3 172.16.3.3 netmask 255.255.255.255
static (inside,DMZ) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group inbound in interface outside
access-group DMZIN in interface DMZ
access-group usersin in interface telecom
access-group marketingin in interface Employees
access-group sales in interface sales
I cut couple of statemnet because of limitation.sorry for that
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide