04-27-2012 12:22 AM - edited 03-11-2019 03:59 PM
dmz -192.168.10.x inside -172.16.x.x.
192.168.10.x is natted to a public ip 202.x.x.x
for outside to access 192.168.10.x i have created accesslist with name out
static (inside,outside) 202.x.x.x 192.168.10.x netmask 255.255.255.255
access-list out extended permit tcp any host 202.x.x.x eq 80
access-group out in interface outside
if the nat control is not enabled than inside users will be able to acess the server by default
now nat control is enabled for inside users to access dmz server
static (dmz,inside) 192.168.10.x 192.168.10.x netmask 255.255.255.255
access-list dmz extended permit tcp any host 192.168.10.x eq 80
is the above access-list right ? where should the access-group shoul be applied on dmz or inside
04-27-2012 12:58 AM
Hi Prashant,
When nat-control is enabled, it enabled globally. This means that ANY higher level security level interface ( inside or dmz in your case ) require NAT in order to communicate with hosts with ANY lower level security level interface ( outside in your case ) . What I am tring to say is that the is not only the case of INSIDE , but also the DMZ interface.
Regarding you config, it not quite ok.As per requirements of nat-control DMZ is the lower level security interface in comparation with INSIDE.So you will need to source NAT the inside :
static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.255
This type of NAT is called identity nat, because the source is not actualy changed. This way you can bypass the nat-control requirement.
Dan
04-27-2012 01:20 AM
Thanks
Is the access-list and access-group remains same.
Another thing if nat control is not enabled than
All the natted system in dmz should access the internet as they flow from higher interface to lower interface
Can I give the route on firewall as
route dmz 0.0.0.0 0.0.0.0 202.x.x.x(gateway)
Already there is default route for outside as
route outside 0.0.0.0 0.0.0.0 202.x.x.x
04-27-2012 01:38 AM
No. The access-list should be :
access-list dmz extended permit tcp any host 172.16.x.x eq 80
If you are trying to connect to 172.16.x.x destination por 80/TCP
But you didn't tell me what are you tring to access ? Where is the client where is the server application
As I see it, the client is in the INSIDE , the server is on DMZ, then the acl should be applied on inside :
access-list inside extended permit tcp any host 192.168.10.x eq 80
The routing in general is made after destination , so if you have already the route to the outside, then you do not need to do anything else regarding the routing. Nat-control does not have an impact to the routing table.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide