Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ Configuration

I am trying to setup a dmz and I am running into problems. I setup a windows server in the dmz thinking I would be able to ping it or at least access the fileshare. No luck. (No I won't do this in a production environment) I am new at setting up a dmz and want to get the hang of how things will work. The ASA I am working with is currently in a test environment.

The quick startup guide for the Cisco ASA appliance suggests doing the following.

DMZ = 10.30.30.0 /24

internal = 192.168.0.0 /24

global (dmz) 50 10.30.30.10-10.30.30.30 netmask 255.255.255.0

nat (inside) 50 192.168.0.0 255.255.255.0

I then put a windows machine in the DMZ and configured it with an IP of 10.30.30.50.

What I have found is I get no xlate, and I can't access the server via ping or the file share.

I have seen some references on this forum recommend

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Any suggestions...thanks

2 REPLIES
Cisco Employee

Re: DMZ Configuration

In the above case, Static is a better route to take since the packets are between the Inside and DMZ.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

In the above case, any 192.168.0.0/24 traffic going to the DMZ will get translated to 192.168.0.0/24. So the DMZ network will see the inside network as 192.168.0.0/24. And if the DMZ is going to initiate the traffic to inside destined for 192.168.0.0/24, make sure the ACL applied on the DMZ permits this traffic.

Regards,

Arul

*Pls rate if it helps*

Re: DMZ Configuration

In addition you can do a nonat exempt acl instead towards either direction if you intend to

simply NAT excempt both networks dmz and inside .

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.30.30.0 255.255.255.0

access-list nonat extended permit ip 10.30.30.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (dmz) 0 access-list nonat

Best is to reference this link to understand NAT in firewalls

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

127
Views
0
Helpful
2
Replies
CreatePlease to create content