Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2901
Views
5
Helpful
6
Replies

How do i put a server in a DMZ zone?

accesshollywood2
Level 1
Level 1

‎08-18-2008 05:39 PM - edited ‎03-11-2019 06:32 AM

Is it just a couple commands to put a server in a DMZ zone? HELP!

Here is what i need....

i have a server which needs to be access from the outside from any ip address.... and in the inside address from on the 172.16.4.0 network only.. Can it be done?

I have an ASA 5520...

Labels:
0 Helpful
6 Replies 6

Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-18-2008 06:49 PM

lets say the DMZ network is 192.168.1.0/24

and the server IP is 192.168.1.2/24

do the following

static (DMZ, outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255

if u have a public ip address on the internat and u want users from internet to access that server on the dmz from the internet though that public ip do the following

lets say the public ip is 1.1.1.1

static (DMZ, outside) 1.1.1.1 192.168.1.2 netmask 255.255.255.255

now u need an ACL on to apply it on the outsid einterface to allow traffic going to DMZ server asuming that the DMZ security level is higher than the ouside

without public IP address

access-list 100 permit ip any host 192.168.1.2

with public IP

access-list 100 permit ip any host 1.1.1.1

no apply it on the outside interface

access-group 100 in interface outside

now let go to the traffic from inside to DMZ server

static (DMZ, inside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255

now the traffic from inside to 192.168.1.2 server will work ok but if u want the server to start the communication with inside network u need ACL to be applied on the DMZ

interface assuming that insidesubnet mask is 255.255.255.0 as follow;

access-list 110 permit ip host 192.168.1.2 172.16.4.0 255.255.255.0

access-group 110 in interface DMZ

and every think wil work

if u need any more details just post here

good luck

please if helpful Rate

accesshollywood2
Level 1
Level 1
In response to Marwan ALshawi

‎08-18-2008 06:55 PM

AWESOME!. i will try when i get to work tommorow... here is one thing....

the cisco webvpn points to the server that has RDP enabled. Basically, once they log into the webvpn, they go to the remote desktop to one of our servers then log in...

would this make any difference?

0 Helpful

accesshollywood2
Level 1
Level 1
In response to Marwan ALshawi

‎08-18-2008 06:57 PM

so would i need to use the public IP or the internal IP scheme? since bascially i am using the cisco Webvpn to connect to the server?

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to accesshollywood2

‎08-18-2008 08:21 PM

hi

the above config will work but without webvpn

with web vpn

i will send u this link check it first if didnt help send me ur senario and also let me know if u use anyconnect, think client ssl, or normal webvpn

this link very nice

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml

good luck

please, if helpful rate

0 Helpful

accesshollywood2
Level 1
Level 1
In response to Marwan ALshawi

‎08-19-2008 04:48 AM

Everything has been working for a while with this technology. I am on Version 8.0 of the ASA os. Do i still need the RDP plug in? That was the reason we upgraded to 8.0 from 7.2

0 Helpful

accesshollywood2
Level 1
Level 1
In response to accesshollywood2

‎08-19-2008 06:15 AM

look at the config file that i attached...

the server IP address that i need to put in the DMZ zone is 172.17.2.81.

I wouldnt think it would matter if i was accessing from webvpn. Because once i log in to webvpn it takes us to the RDC page.

Preview file
91 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card