05-17-2006 01:18 AM - edited 02-21-2020 12:54 AM
Hi Expert,
How to configure ASA to allow access from inside to dmz host and also return way?
Thank you.
Rgds,
Au Yeong Shaw Voel
Solved! Go to Solution.
05-17-2006 02:27 AM
Hi,
By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.
Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.
Example:
Inside IP: 192.168.1.1/24
DMZ: 172.16.1.1/24
Two (2) ways to do it:
a. Use nat & global command:
global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz
global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.
nat (inside) 1 192.168.1.0 255.255.255.0
Note:
- Use ACL if you need to control type of service to pass through and apply on inside interface.
b. Use static translation between inside and DMZ subnets:
static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0
Note:
- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.
- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.
Configuration example:
*look under 'static (inside,dmz)' command.
Rgds,
AK
05-17-2006 02:27 AM
Hi,
By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.
Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.
Example:
Inside IP: 192.168.1.1/24
DMZ: 172.16.1.1/24
Two (2) ways to do it:
a. Use nat & global command:
global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz
global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.
nat (inside) 1 192.168.1.0 255.255.255.0
Note:
- Use ACL if you need to control type of service to pass through and apply on inside interface.
b. Use static translation between inside and DMZ subnets:
static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0
Note:
- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.
- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.
Configuration example:
*look under 'static (inside,dmz)' command.
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide