Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

shifting the servers from inside to DMZ

Hi all,

i have to make DMZ in my network already my servers are working in inside network, but now i have to shift these server to DMZ,

kindly look at my configuration and guide me with configuration how i can achieve this goal. Thanks

********************

ASA Version 8.0(4)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/3

description LAN Failover Interface

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777

access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080

access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777

access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

access-list inside_access_all extended permit ip any any

access-list DMZ_access_all extended permit icmp any any

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_all in interface Inside

access-group DMZ_access_all in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

: end

ASA#

2 REPLIES
Community Member

Re: shifting the servers from inside to DMZ

Hi,

With this conf you wll not be able to access your servers from outside.

Community Member

Re: shifting the servers from inside to DMZ

Hi,

I think the following lines are confusing:-

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any

access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

access-list inside_access_all extended permit ip any any

access-list DMZ_access_all extended permit icmp any any

nat (Inside) 0 access-list nonat

nat (DMZ) 0 access-list nonatDMZ

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Can you tell me what are you planning to use this lines for???

to have your inside n/w access DMZ just enter below commands and it will work you dont need any other thing:

access-list inside_nat0 extended permit ip any 192.168.100.0 255.255.255.0

nat(inside) 0 access-list inside_nat0

thts it this will server ur purpose and you will be able to access DMZ frm Inside

and to access DMZ frm Outside you need to create Static\Dynamic Natting as required.

Regards,

Hussain

175
Views
0
Helpful
2
Replies
CreatePlease to create content