Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ Zone

Hi  ,

 

i have  created  a  DMZ  Zone  on the cisco ASA 5510 Firewall.  The  DMZ  is  using public  IP Address .

able  to  access internet from the DMZ Zone. But   unable  to   access the server from  inside to the dmz zone.

please suggest command  to  allow  access of  the inside  network  to  the dmz  network,

 

Regards,

Saroj

 

 

Also  please suggest   allow  from  internet  access the dmz  server.

 

Regards,

Saroj

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

If you have an ACL on the

  1. If you have an ACL on the inside interface, then you need an ACE for the traffic.
  2. The traffic from inside to the DMZ has to be exempted from NAT. The config-syntax depends on the version of the ASA, but you don't tell us which version you are running.

For ASA up to 8.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1077621

For ASA 8.3+:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#wp1232160


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
VIP Purple

If you have an ACL on the

  1. If you have an ACL on the inside interface, then you need an ACE for the traffic.
  2. The traffic from inside to the DMZ has to be exempted from NAT. The config-syntax depends on the version of the ASA, but you don't tell us which version you are running.

For ASA up to 8.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1077621

For ASA 8.3+:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#wp1232160


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi ,

Hi , as i am using Public ip address of the server in the DMZ Zone. please suggest command to allow from internet the access of server. Regards, Saroj
VIP Purple

The following ACL allows any

The following ACL allows any HTTP- and HTTPS-traffic to your DMZ-server (192.0.2.80 in my example):

access-list OUTSIDE-IN permit tcp any host 192.0.2.80 eq 80

access-list OUTSIDE-IN permit tcp any host 192.0.2.80 eq 443

That ACL needs to be applied to the outside interface:

access-group OUTSIDE-IN in interface outside

If there is already an ACL on the outside interface, that use that ACL instead.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi , Thanks  for  the reply. 

Hi ,

 

Thanks  for  the reply.  The  DMZ  server is  accessable  from internet. But  still the server  unable  to access from  Inside  interface. Encloesd  please  find  my  ASA config  and  help .

Does  it  need  any  routing also.?

 

Regards,

Saroj

New Member

Hi, now  i have  configured 

Hi,

 

now  i have  configured  the nat  exampt  and  able  to  ping  the DMZ Server from  Inside  of  the ASA Fireawll  but  unable  to  access the Server on  port 80.

please advice.

Regards,

Saroj

New Member

Hi  ,i am  trying  to access

Hi  ,

i am  trying  to access the web server  122.168.191.226   from  my PC 172.16.48.111  on port  but  unable   to  access .i  run a  command  packet-tracer input inside tcp 172.16.48.111 12345 122.168.191.226 80  .Encloesd  the report  and  please advice.

 

Regards,

Saroj


 

157
Views
0
Helpful
6
Replies
CreatePlease login to create content