Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 DMZ configuration

I currently have an ASA 5510 with which I'm trying to setup a HTTP/FTP host on a dmz. Currently the DMZ host is accessible externally but hosts on the internal network cannot access it. I have a dedicated IP for the DMZ host (1.1.1.228) and another IP for interface PAT for the internal clients (1.1.1.238). I know I'm missing a piece, either a nat() statement or a static() statement, please advise.

interface Ethernet0/0

description Outside Interface

nameif outside

security-level 0

ip address 1.1.1.238 255.255.255.240

!

interface Ethernet0/1

description Inside Interface

nameif inside

security-level 100

ip address 10.0.0.1 255.255.0.0

!

interface Ethernet0/2

description DMZ Interface

nameif dmz

security-level 50

ip address 192.168.0.1 255.255.255.0

--- partial outside inbound ACL ---

access-list outside_access_in extended permit tcp any host 1.1.1.228 eq www

access-list outside_access_in extended permit tcp any host 1.1.1.228 eq https

--- DMZ ACL ---

access-list DMZ extended permit icmp any any

access-list DMZ extended permit tcp host 192.168.0.11 eq www any

access-list DMZ extended permit tcp host 192.168.0.11 eq https any

access-list DMZ extended permit tcp host 192.168.0.11 eq ftp-data any

access-list DMZ extended permit tcp host 192.168.0.11 eq ftp any

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.231 10.0.0.85 netmask 255.255.255.255

static (dmz,outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group DMZ in interface dmz

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510 DMZ configuration

Add:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

The above statement will allow the Inside host to access DMZ hosts using DMZ devices own IPs, and vice-versa.

And if necessary, use ACL to restrict access from inside to DMZ, or DMZ to inside.

Cheers!

AK

1 REPLY

Re: ASA 5510 DMZ configuration

Add:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

The above statement will allow the Inside host to access DMZ hosts using DMZ devices own IPs, and vice-versa.

And if necessary, use ACL to restrict access from inside to DMZ, or DMZ to inside.

Cheers!

AK

508
Views
0
Helpful
1
Replies