I'm new to firewall configurations so I need a little clarity. I have an asa setup. My internal network is 192.168.0.0/24 and my dmz network is 10.0.0.0 /24. Now I need to know how to configure access from my internal network to my dmz network. We have a webserver and an ftp server on the same box there. I also have statics setup for outside access. I need to see an example DMZ acl and for some to explain it to me because I can't find documentation for it anywhere on the cisco site.
So if your internal network is 192.168.0.0 and the dmx is 10.0.0.0 you would need to do something like this
1.Specify the source(s) of the traffic that must be translated.
so in your case it would be
nat (inside) 1 192.168.0.0 /* This is the inside subnet that needs to xlated and appear as a host on the 10.0.0.0 DMZ network
global (dmz) 1 interface /* This will take the src traffic (inside subnet) and xlate or present the src as the interface of the dmz subnet which will allow you to access the devices within your dmz.HTH
Since you are traversing from a higher security interface to a lower interface you do not need an ACL to specify the traffic,however if you require traffic from an outsideor dmz host access to insode resources then you will nedd an ACL first to permit the traffic then specify the static translation that will be stored in your xlate table
So if you want to create an access-list in this situation where insode hosts access a server on the DMZ I believe you do the following not 100% sure though.
1. Create access-list for traffic
access-list insidetodmz permit tcp 192.168.0.0 255.255.0.0 (ip address of server on DMZ)eq 80
2. create the static nat entry baesd upon the acl
static (inside,dmz) (ip address of serveron dmz)(ip address of server on dmz) -- This is referred to as identity Nat
The reason I am doing identity Nat is because when you specified the traffic in the acl you are basically saying permit traffic source from (src) subnet 192.168.0.0 to (dst) ip address of server on DMZ.
Next what you have to do is use a static nat translation ( This basically adds an xlate entry in the database, also a conn entry is created to xlate traffic from the inside to the dmz), and because the acl permits traffic from 192.168.0.0 to (Nat server address), you are basically hiding your inside subnet(188.8.131.52) and presenting it as (ip address of the DMZ server you want to access).HTH
ASA-Device-name(config)# global (DMZ) 1 interface. HTH
is not mutually exclusive with my last suggestion (acl + static nat)
So either do one or the other in your configuration as it will lead to undesireable results.
Also you need to keep in my mind the order in which nat statements occur, excerptr from cisco Pix book
If you configure several address translation operations, you might have some overlap between them. For example, the same local address might appear in more than one NAT definition. To resolve any ambiguity, the firewall evaluates the various types of NAT in the following order before creating an xlate entry:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...