Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Inside access DMZ and return

Hi Expert,

How to configure ASA to allow access from inside to dmz host and also return way?

Thank you.

Rgds,

Au Yeong Shaw Voel

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Inside access DMZ and return

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK

1 REPLY

Re: ASA Inside access DMZ and return

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK

110
Views
0
Helpful
1
Replies