Re: DMZ to Interal Network?

dmurray14 · ‎07-31-2007

Hey guys

I have 3 nets - an outside/29, an inside 10.0.0.1/24, and a DMZ 10.1.0.1/24. I would like a few servers in the DMZ to be able to talk to a few servers on the inside net, just a few ports. What is the correct way to establish this?

Thanks,

Dan

srue · ‎07-31-2007

enable static commands as follows:

static (inside,dmz) 10.0.0.50 10.0.0.50

enable access-list on dmz interface:

access-list dmz_acl permit tcp host 10.1.0.5 host 10.0.0.50 eq 80

access-group dmz_acl in interface dmz

this is an example to enable dmz host at 10.1.0.5 to access 10.0.0.50 on the inside on tcp port 80.

acomiskey · ‎07-31-2007

Something like this will do the trick. Obviously the permit statements in the acl would be whatever you needed, I just used an example to allow the dmz to 3 inside hosts.

static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.255

access-list dmz permit ip any host 10.0.0.1

access-list dmz permit ip any host 10.0.0.2

access-list dmz permit ip any host 10.0.0.3

access-list dmz deny ip any 10.0.0.0 255.255.255.0

access-list dmz permit ip any any

access-group dmz in interface DMZ

The last 2 lines in the acl are important if you want the DMZ to be able to access the outside.

Please rate helpful posts.

dmurray14 · ‎07-31-2007

Awesome guys, thanks for the quick response!

srue · ‎07-31-2007

oh yeah, don't forget those last two lines of acomiskey's config...VERY important. *slaps self for forgetting them*

these configs also assume nat-control is configured btw, if you're running 7.x.