Re: dmz

prashantrecon · ‎04-02-2012

Server on dmz with private ip 10.10.10.10 mapped with ip 172.20.1.10

static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255

Is it inside users are going to access machine on dmz through outside interface ?

Jouni Forss · ‎04-03-2012

Hi,

Your INSIDE host can/will access the DMZ host with the IP address 172.20.1.10 from the INSIDE interface (provided you got the route for it OR default route points towards ASA which probably is the case)

Outside interface has nothing to do with the above configuration

- Jouni

EDIT: Had written DMZ instead of INSIDE at the start of the sentence.

goatnetworking · ‎04-03-2012

What interface is 172.20.1.10 on?

If 172.20.1.10 is on the INSIDE interface, then any client requesting 172.20.1.10 coming into the firewall from the INSIDE interface would be able to hit the private IP (As long as ACL's allow it).

If 10.10.10.10 send data to the INSIDE, it will get converted to 172.20.1.10, but will not if it goes out another interface.

I hope this helps.

Scape

llamaw0rksE · ‎04-03-2012

journiforss, both the inside and dmz are interfaces on the ASA, no routing is necessary right (as long as using version 8.43 or later)?

Julio Carvajal · ‎04-03-2012

Hello Prashant,

As your nat says (DMZ,INSIDE) those 2 interfaces are the only ones involved on the communication from an inside host to the DMZ server.

That being said let me know if you need something else.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎04-04-2012

Hi

Is it inside users can access the dmz server with mapped address?

Jouni Forss · ‎04-04-2012

Hi,

With the NAT command you mentioned in the original post

static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255

You can access the DMZ server 10.10.10.10 from your INSIDE network with the mapped address of 172.20.1.10

- Jouni