Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ Setup help...please

I am trying to get my DMZ functioning properly and need some assistance. I have the outsdie to the DMZ functioning as it should, but can't seem to get access working between the inside and the DMZ. I've tried using suggestions from previous posts to no avail. I'm thinking it has something to do with exemptions overlapping with my nat, etc., because with a clean config (no site-to-site VPN) it works fine...HELP! I've attached my config for reference.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: DMZ Setup help...please

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

9 REPLIES

Re: DMZ Setup help...please

try adding:-

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.100.1.0 255.255.255.0

HTH>

New Member

Re: DMZ Setup help...please

I tried your recommendation and it appears I may have to button hook the traffic back in now? My log doesn't show any traffic from my host to the DMZ host, and I no longer get the port map error I used to get.

Silver

Re: DMZ Setup help...please

For the traffic , inside to DMZ -> you need just NAT translation. i.e

nat (inside) 10 0.0.0.0 0.0.0.0

global (DMZ) 10 interface

For traffic from DMZ to Inside , you would need to open ports using access list.

access-list DMZ_access_in extended permit ip 10.100.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-group DMZ_access_in in interface DMZ

HTH

Saju

New Member

Re: DMZ Setup help...please

I tried to add the

nat (inside) 10 0.0.0.0 0.0.0.0, came back with "Duplicate NAT entry", since I have

nat (inside 1 0.0.0.0 0.0.0.0

Should drop the following?

nat (DMZ) 10 10.100.1.0 255.255.255.0

And add the ACL?

My logs show that the traffic hts the outside at 1.1.1.241, should that happen?

I greatly appreciate your help!

Silver

Re: DMZ Setup help...please

yes you do not need "nat (DMZ) 10 10.100.1.0 255.255.255.0 "

no nat (DMZ) 10 10.100.1.0 255.255.255.0

Yes add the access list including networks as you need .I just included directly connected networks to give you an example.

Also alongwith access-list you will also need Static statements if you want to access hosts in Inside zone .

Static(Inside,DMZ)

HTH

Saju

Pls rate helpful posts

New Member

Re: DMZ Setup help...please

Still no luck. I have attached a capture file, the session just doesn't seem to complete...

The capture was done on the ASA with the egress set to inside and the ingress set to DMZ.

Silver

Re: DMZ Setup help...please

You will have to explain what are you trying to do .

Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?

Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.

New Member

Re: DMZ Setup help...please

I've been doing some trace routes and it appears to be a routing issue on the inside. Thanks for the help! If I run into something else I'll post again.

New Member

Re: DMZ Setup help...please

Ended up being ACL on an inside router blocking the traffic...explains the absence of dropped packets in the logs.

Thanks again!

131
Views
12
Helpful
9
Replies