Solved: Re: ASA Inside access DMZ and return

shawvoel · ‎05-17-2006

Hi Expert,

How to configure ASA to allow access from inside to dmz host and also return way?

Thank you.

Rgds,

Au Yeong Shaw Voel

a.kiprawih · ‎05-17-2006

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK

View solution in original post

a.kiprawih · ‎05-17-2006

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK