07-31-2007 10:59 AM - edited 03-11-2019 03:51 AM
Hey guys
I have 3 nets - an outside/29, an inside 10.0.0.1/24, and a DMZ 10.1.0.1/24. I would like a few servers in the DMZ to be able to talk to a few servers on the inside net, just a few ports. What is the correct way to establish this?
Thanks,
Dan
07-31-2007 11:06 AM
enable static commands as follows:
static (inside,dmz) 10.0.0.50 10.0.0.50
enable access-list on dmz interface:
access-list dmz_acl permit tcp host 10.1.0.5 host 10.0.0.50 eq 80
access-group dmz_acl in interface dmz
this is an example to enable dmz host at 10.1.0.5 to access 10.0.0.50 on the inside on tcp port 80.
07-31-2007 11:08 AM
Something like this will do the trick. Obviously the permit statements in the acl would be whatever you needed, I just used an example to allow the dmz to 3 inside hosts.
static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.255
access-list dmz permit ip any host 10.0.0.1
access-list dmz permit ip any host 10.0.0.2
access-list dmz permit ip any host 10.0.0.3
access-list dmz deny ip any 10.0.0.0 255.255.255.0
access-list dmz permit ip any any
access-group dmz in interface DMZ
The last 2 lines in the acl are important if you want the DMZ to be able to access the outside.
Please rate helpful posts.
07-31-2007 11:12 AM
Awesome guys, thanks for the quick response!
07-31-2007 11:15 AM
oh yeah, don't forget those last two lines of acomiskey's config...VERY important. *slaps self for forgetting them*
these configs also assume nat-control is configured btw, if you're running 7.x.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: