Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

dmz to lan w/ NAT - config?

customer on premises requires access to our network.

requirements:

provide internet access

restrict access to various servers

nat addresses

is there any config out there which will help with dmz to lan access?

thanks for any help.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: dmz to lan w/ NAT - config?

Hello Tsrader,

Your config looks pretty good for the most part. Here are some changes I would make:

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

The TCP/UDP/ICMP are all encompassed by the IP statement, so they really aren't needed. However, you don't acutally apply that access-list to the inside interface, so by default, all traffic from the inside would be allowed to the gtadmz. If wanted to block traffic from the inside to the gtadmz, you might do this:

access-list inside_access_in deny ip any object-group customer_nets

access-list inside_access_in permit ip any any

This will only allow connections that originate from the gtadmz to the inside and return packets.

On the NAT/Global statements, those are correct. Any requests from the gtadmz will appear to be from the IP address of the inside interface of the firewall to the servers on the inside. If that is what you want, then it should work just fine.

Finally, the question about applying the access-list to the interface. What you put is in correct.

I hope this helps.

--Gavin Budd

4 REPLIES
Community Member

Re: dmz to lan w/ NAT - config?

Tsrader,

Are you looking for a base config that would allow some of this?

Something like:

nat (dmz) 1 10.10.5.0 255.255.252.0

global (inside) 1 interface

access-list dmz_access_in deny ip any host server_ip_address

access-list dmz_access_in deny ip any host another_server_ip_address

access-list dmz_access_in permit ip any any

access-group dmz_access_in in interface dmz

Does this help or do you need more detailed help?

Thanks

--Gavin Budd

Community Member

Re: dmz to lan w/ NAT - config?

see attached proposed config.

(diagram revised to reflect proper ip addressing)

Community Member

Re: dmz to lan w/ NAT - config?

diagram and proposed config attached.

thx for any input

Community Member

Re: dmz to lan w/ NAT - config?

Hello Tsrader,

Your config looks pretty good for the most part. Here are some changes I would make:

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

The TCP/UDP/ICMP are all encompassed by the IP statement, so they really aren't needed. However, you don't acutally apply that access-list to the inside interface, so by default, all traffic from the inside would be allowed to the gtadmz. If wanted to block traffic from the inside to the gtadmz, you might do this:

access-list inside_access_in deny ip any object-group customer_nets

access-list inside_access_in permit ip any any

This will only allow connections that originate from the gtadmz to the inside and return packets.

On the NAT/Global statements, those are correct. Any requests from the gtadmz will appear to be from the IP address of the inside interface of the firewall to the servers on the inside. If that is what you want, then it should work just fine.

Finally, the question about applying the access-list to the interface. What you put is in correct.

I hope this helps.

--Gavin Budd

117
Views
0
Helpful
4
Replies
CreatePlease to create content