Skip to main content

Query on DMZ implementation.

More
15 years 5 months ago #30989 by chidimaar
Hi,
I am trying to setup DMZ on my ASA 5510; I am not able to access a web server on DMZ from inside.

I did some search on internet (on firewall.cx as well) and found out i need to give a static command between inside and DMZ.
If my-
inside is 10.10.10.0
DMZ is 192.168.10.0

I should have static NAT between inside and DMZ; the command would be
static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Could anyone pls help me understand what the above mentioned command really does ?

Thanks.
More
15 years 5 months ago #30991 by Chris
chidimaar,

I've removed your identical post in our other category as there is no need to make double posts - it just confuses things. One post is sufficient on Firewall.cx :)

Regarding your question, you need two things:

1) A Static NAT command
2) ACL's allowing traffic to pass between the two networks.

The static nat command you mentioned should be correct according to the information you've provided:

static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

The above command ensures that no NAT translation is performed for traffic from your INSIDE network toward the DMZ Zone. This effectively means that machines on your DMZ zone will see the requests coming from your internal lan IP range and try to reply back to them.

With Cisco ASA's, it is imperative that every NAT command is accompanied with its ACL - access lists, otherwise no traffic will be allowed over your ASA.

So, with that in mind, you need to create an access lists and apply it to your INSIDE interface.

For example:

access-list inside-in extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

The above should give you access to your DMZ from your LAN network.

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
15 years 5 months ago #30992 by chidimaar
Thanks for the reply Chris !!

Let me get this right.

For traffic to flow between any two interfaces of firewall regardless of their security level, I must specify a NAT/no NAT along with a ACL permitting the traffic.


Pls correct me if I am wrong.

Thanks.
More
15 years 5 months ago #30995 by chidimaar
Also with above query, currently I am not able to access the server on dmz from internet. I have bunch of public IP's provided to me by my ISP, out of which I am using one public IP for server so that it'll be accessible over internet.
As mentioned earlier, 192.168.10.0 /24 is my DMZ; and 192.168.10.5 is web server.

I have configured the required things like static NAT and access list:

static (dmz, outside) 124.x.y.z 192.168.10.5 netmask 255.255.255.255

access-list outside extended permit tcp any host 124.x.y.z eq https
access-list outside extended permit tcp any host 124.x.y.z eq ssh
access-list outside extended permit tcp any host 124.x.y.z eq http

access-group outside in interface outside

Unfortunately, I cannot share the complete ASA configuration here; will try to post if anything else is required.

Can anyone pls figure out what went wrong ?

I am really sorry about limited information. Let me know if i need to provide anything else.

Thanks.
More
15 years 4 months ago #31368 by faisal4u2
The configuration is Perfectly fine.

You need to clear arp on your firewall as well as the arp entry to be cleared on ISP router.

Better is to reload your firewall and the modem or internet router after taking the downtime in your organization it willl work.
Time to create page: 0.124 seconds