Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
2
Replies

DMZ on ASA 5520

rhauk0868
Level 1
Level 1

‎06-19-2014 11:11 AM - edited ‎02-21-2020 05:12 AM

 I have a slight emergency that was dumped on me to be done this week.

I have an ASA 5520 and need to setup a DMZ for one server. It need to communicate to one server on my inside network and to the internet over specific ports.

 

I am not totally ignorant on Cisco but it has been a very long time since I have done this type thing and would appreciate any help given.

 

I have setup GE0/2 With Name DMZ state enabled Security 50 IP 172.16.2.1 Mask of 255.255.255.0 but that is as far as I have gone. I need to setup I believe a deny all and then open the ports needed but not sure the how to on this part.

0 Helpful
2 Replies 2

rvarelac
Level 7
Level 7

‎06-19-2014 01:43 PM

Hi

 

After configuring the interfaces on the ASA , you can create an ACL to permit access to the internal server from the DMZ.

For example if we use the following values :

Internal server : 10.198.16.254/24

DMZ server: 172.16.29.20 /24

The access list would be:

access-list DMZ-ACL permit ip 172.16.29.0 255.255.255.0 10.198.16.0 255.255.255.0

access-group DMZ-ACL in interface DMZ

or you can specify to allow only that host with the following config

access-list DMZ-ACL permit ip 172.16.29.0 255.255.255.255 10.198.16.0 255.255.255.255

And to allow access from internet to the DMZ server you must  do a NAT translation .

 

Example :

sintaxis (interfaces names)   global ip port real ip port

static (DMZ,outisde) tcp/udp 64.20.20.5 80 172.16.29.20 90

 

Hope this help!

Regards ,

 

 

 

0 Helpful

nkarthikeyan
Level 7
Level 7

‎06-21-2014 02:04 AM

Hi,

 

You need to set Nonat for the inside to dmz or dmx to inside access and for outisde access for dmz server you need to do port based translation.

Your DMZ Server: 172.16.2.10

Your Internal Server: 192.168.1.10

object network obj-local

host 192.168.1.10

object network obj-dmz

host 172.16.2.10

!

nat (dmz,inside) 1 source static obj-dmz obj-dmz destination static obj-local obj-local

 

for Internet access:

object obj-public

host 1.1.1.1

object service obj-udp-900

service udp source eq 900

!

nat (dmz,outside) 1 source static obj-dmz obj-public service obj-udp-900 obj-udp-900

!

HTH

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card