Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I permit access to DMZ only to the inbound access?

For example:

If I wonted to permit the access to the FTP in the Host 10.13.0.5 (DMZ) from the private LAN (10.2.0.0) but not from the internet. Can I doit with the "conduit"?

Thanks.

3 REPLIES
New Member

Re: How can I permit access to DMZ only to the inbound access?

You must create a estatica route for your LAN towards DMZ for example

static(inside, dmz)10.2.0.1 10,13,0,5 netmask 255.255.255.255

conduit permit tcp host 10.2.0.1 eq FTP any

and now 10.2.0.1 are the FTP for your network LAN

New Member

Re: How can I permit access to DMZ only to the inbound access?

You don't need the static & conduit statements in this scenario. Since traffice will flow from higher security (Inside-security100) to lower security (DMZ-security50) via the nat (DMZ) 1... command, you should use the static/conduit. One way of controlling this type of access would be using access-lists and access-group and apply this to the inside interface via inbound direction. This is the same concept as the the older PIX software by using outbound/apply.

I hope that helps. Please feel free to correct me.

New Member

Re: How can I permit access to DMZ only to the inbound access?

You don't need static translation. What you need is a NAT command with appropriate access-list/access-group commands.

About NAT, you have 2 choice:

1) Make a real translation

2) No translation at all

I prefer the second way to do that:

Example with no translation.

a) Create an access-list to limit who will access the ftp.

access-list nonatinside 10.2.0.0 255.255.255.0 host 10.13.0.5

b) Create a NAT to disable NAT for the previous access-list:

NAT (inside) 0 access-list nonatinside

Then inside hosts will be able to access your FTP on any ports, with their real IP addresses (no translation). If you want to limit the ranges of ports. You can create an access-list applied to the inside interface or make some filtered on your server directly which is not a bad idea or both.

Ben

114
Views
0
Helpful
3
Replies
CreatePlease login to create content