Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
1
Replies

ASA Inside access DMZ and return

Go to solution
shawvoel
Level 1
Level 1

‎05-17-2006 01:18 AM - edited ‎02-21-2020 12:54 AM

Hi Expert,

How to configure ASA to allow access from inside to dmz host and also return way?

Thank you.

Rgds,

Au Yeong Shaw Voel

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 02:27 AM

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK

View solution in original post

0 Helpful
1 Reply 1

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 02:27 AM

Hi,

By default, access from inside to dmz is permitted as this access is from higher security level to lower security level.

Return traffic back to inside host is automatically granted by ASA/Firewall if the connection/translation is valid/exists.

Example:

Inside IP: 192.168.1.1/24

DMZ: 172.16.1.1/24

Two (2) ways to do it:

a. Use nat & global command:

global (dmz) 1 172.16.1.10-172.16.1.20 --> allow range of .10 to .20 to be used by inside hosts to access dmz

global (dmz) 1 172.16.1.21 --> all inside will use this IP as PAT if the above range is fully used.

nat (inside) 1 192.168.1.0 255.255.255.0

Note:

- Use ACL if you need to control type of service to pass through and apply on inside interface.

b. Use static translation between inside and DMZ subnets:

static (inside,dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

- This will allow inside host to initiate & access dmz, and dmz host to initiate & access inside (dmz host initiate connection). When DMZ accessing inside host, DMZ will use Inside host's physical/assigned IP.

- Use ACL if you need to control type of service to pass through and apply on both dmz & inside interfaces.

Configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

*look under 'static (inside,dmz)' command.

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card