05-17-2006 01:18 AM - edited 02-21-2020 12:54 AM
Hi Expert,
How to configure ASA to allow access from inside to dmz host and also return way?
Thank you.
Rgds,
Au Yeong Shaw Voel
Solved! Go to Solution.
05-17-2006 02:27 AM
Hi,
By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.
Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.
Example:
Inside IP: 192.168.1.1/24
DMZ: 172.16.1.1/24
Two (2) ways to do it:
a. Use nat & global command:
global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz
global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.
nat (inside) 1 192.168.1.0 255.255.255.0
Note:
- Use ACL if you need to control type of service to pass through and apply on inside interface.
b. Use static translation between inside and DMZ subnets:
static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0
Note:
- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.
- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.
Configuration example:
*look under 'static (inside,dmz)' command.
Rgds,
AK
05-17-2006 02:27 AM
Hi,
By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.
Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.
Example:
Inside IP: 192.168.1.1/24
DMZ: 172.16.1.1/24
Two (2) ways to do it:
a. Use nat & global command:
global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz
global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.
nat (inside) 1 192.168.1.0 255.255.255.0
Note:
- Use ACL if you need to control type of service to pass through and apply on inside interface.
b. Use static translation between inside and DMZ subnets:
static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0
Note:
- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.
- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.
Configuration example:
*look under 'static (inside,dmz)' command.
Rgds,
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: