Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
3
Replies

Creating Internal and external access

jeffreydavy
Level 1
Level 1

‎03-30-2012 02:50 AM - edited ‎03-11-2019 03:48 PM

I am using an ASA  versions below:

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

I have been tasked with enabling access from our internal networks to servers that are hosted on the DMZ and NATed to external clients.

How do I do this? The DMZ is not an internal routable network so do I use another NAT somehow ?

How do I propergate the DMZ server across the internal network ?

Thanks

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎03-30-2012 03:01 AM

Hi Jeff,

Going by your description, I assume you have three interfaces on the ASA, outside, inside and DMZ.

If you would like to access the DMZ servers on public IP's from the inside interface, then you would need the following config:

static (DMZ,inside) 1.1.1.1 10.1.1.1

nat (inside) 1 0 0

global (DMZ) 1 interface

where 1.1.1.1 is the public ip and 10.1.1.1 is the private ip of server.

If you want to access DMZ servers on their original ip's only.

static (DMZ,inside) 10.1.1.0 10.1.1.0 mask 255.255.255.0

nat (inside) 1 0 0

global (DMZ) 1 interface

This should be the minimum required config, unless I didnt understand your setup correct, moreover can you tell me wat device you are using?? model number?? base or plus license??

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

jeffreydavy
Level 1
Level 1
In response to varrao

‎03-30-2012 04:01 AM

Thank you for responding Varun, but I the DMZ network is not routable across our MPLS network so that is what I need to understand. Do I have to set up another NAT so that we can access the DMZ servers from anywhrere in our network? Even across the MPLS from other offices?

I am using an ASA 5510 ver 8.2(1)

running ASDM 6.2(1)

here are the interfaces

interface Ethernet0/0.10

description SE-GF1-CR-A Tranit

vlan 10

nameif Inside

security-level 100

ip address 10.116.10.5 255.255.255.0 standby 10.116.10.6

interface Ethernet0/0.666

description SE-GF1-CR-A Legacy

vlan 666

nameif Legacy

security-level 100

ip address 172.16.104.254 255.255.252.0 standby 172.16.104.1

!

interface Ethernet0/1

description SE-GF1-CR-A Gi1/0/4 Trunk

speed 1000

duplex full

no nameif

security-level 100

no ip address

!

interface Ethernet0/1.20

vlan 20

nameif DMZ

security-level 40

ip address 172.16.111.1 255.255.255.0 standby 172.16.111.2

!

interface Ethernet0/2

description SE-GF1-CR1-A connects to Tele2 ISP

speed 100

duplex full

no nameif

security-level 0

no ip address

!

interface Ethernet0/2.15

vlan 15

nameif Outside

security-level 0

ip address pix_outside 255.255.255.240 standby 212.247.51.2

!

interface Ethernet0/3

speed 100

duplex full

nameif Extern

security-level 0

ip address 212.247.51.17 255.255.255.240 standby 212.247.51.27

0 Helpful

varrao
Level 10
Level 10
In response to jeffreydavy

‎03-30-2012 04:26 AM

Hi Jeff,

Yes you would need to setup nat that I have suggested in my previous post, that would give you complete access to the servers from the inside interface. From anyother interface as well the config is going to the same, just chnage in the interface names.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card