Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up DMZ on ASA

Hi Community,

I've an Cisco ASA 5520 with following interfaces setup:

Outside (0) 78.93.*.*

Inside ( 100) 10.1.2.20

Now I am planning to setup dmz and there will be webserver in that zone

I need help for two things:

1. How do I allow people accessing this webserver from Public Network

2, How do I allow only my pc residing in inside network to access this server and vice versa


Any will would be highly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Setting up DMZ on ASA

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

12 REPLIES

Re: Setting up DMZ on ASA

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP -->  public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

New Member

Re: Setting up DMZ on ASA

Thanks for the prompt response

nat (inside) 1 0 0

global (dmz) 1 interface

This will allow all inside hosts to commucate with dmz server,

But in my case, I want to allow single host (that is my pc ) to communicate with  this server.

Re: Setting up DMZ on ASA

To allow a single PC instead of having:

nat (inside) 1 0 0

global (dmz) 1 interface

You change it to this:

nat (inside) 1 x.x.x.x 255.255.255.255

global (dmz) 1 interface

Replace x.x.x.x with the IP.

Federico.

New Member

Re: Setting up DMZ on ASA

What would happen if i make  static NAT ?

Re: Setting up DMZ on ASA

You can create a static NAT:

Assuming your inside IP is 10.0.0.1

static (inside,dmz) 10.0.0.1 10.0.0.1

Static NAT is normally done for inbound access (from a lower security interface to a higher security)

Regular NAT is normally done for outbound traffic (that's why I gave you the example).

Short answer is... either way will work.

Problem with static NAT is that the DMZ will have access to initiate traffic to your PC (if allowed by ACL)


Federico.

New Member

Re: Setting up DMZ on ASA

I have heard something about Exempt NAT. Perhaps I didn't got any idea from web.

Please can you explain with simple example

Thanks for your help

Re: Setting up DMZ on ASA

Exempt NAT is NAT 0 with ACL

Allows you to define which traffic to bypass NAT and it has the highest preference in the NAT priority check done by the ASA.

Normally used to bypass NAT for VPN traffic

ie.

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

The above will allow traffic to flow between both networks with NAT.

If you do the example of the static...

static (inside,dmz) 10.0.0.1 10.0.0.1

then you are allowing traffic to pass with NAT as well (this is static Identity NAT because you're not really translating the address anyway).

Federico.

New Member

Re: Setting up DMZ on ASA

If i am not wrong, can I  just create an ACL to allow traffic from inside to dmz without NAT...Is is possible to make it ?

Re: Setting up DMZ on ASA

Yes.

Depending on the version.

If you have nat-control enabled (can check it with sh run nat-control) then you MUST have a NAT rule for the ASA to allow traffic to pass between interfaces.

If you disable nat-control, then you can pass traffic without NAT.

However, an ACL is not required to pass traffic from inside to dmz.

An ACL is required to pass traffic from a lower security to a higher security (like in the case from dmz to inside).

Federico.

New Member

Re: Setting up DMZ on ASA

This is what i have done after your great explanation

Static NAT

static (inside,dmz) 10.1.2.18 10.1.2.18  netmask 255.255.255.255

Created an ACL to allow the traffice from dmz to inside

access-list DMZ-1_access_in line 2 extended permit tcp host 172.16.1.X object-group MYPC object-group sqlnet

Re: Setting up DMZ on ASA

Remember the important rules:

Traffic from higher security to lower security
requires NAT (if having nat-control)

Traffic from lower security to higher security
requires STATIC NAT and ACL

If you already have an ACL applied to an interface, i.e. inside,
then all traffic that should be permitted must be explicitly defined.

If you really understand the above, you're done (for the basics).

Federico.

New Member

Re: Setting up DMZ on ASA

Thank you so much to all clear all my doubts

Thats was quiter helpful.

814
Views
9
Helpful
12
Replies