- Posts: 4
- Thank you received: 0
Query on DMZ implementation.
15 years 5 months ago #30989
by chidimaar
Query on DMZ implementation. was created by chidimaar
Hi,
I am trying to setup DMZ on my ASA 5510; I am not able to access a web server on DMZ from inside.
I did some search on internet (on firewall.cx as well) and found out i need to give a static command between inside and DMZ.
If my-
inside is 10.10.10.0
DMZ is 192.168.10.0
I should have static NAT between inside and DMZ; the command would be
static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Could anyone pls help me understand what the above mentioned command really does ?
Thanks.
I am trying to setup DMZ on my ASA 5510; I am not able to access a web server on DMZ from inside.
I did some search on internet (on firewall.cx as well) and found out i need to give a static command between inside and DMZ.
If my-
inside is 10.10.10.0
DMZ is 192.168.10.0
I should have static NAT between inside and DMZ; the command would be
static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Could anyone pls help me understand what the above mentioned command really does ?
Thanks.
15 years 5 months ago #30991
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Query on DMZ implementation.
chidimaar,
I've removed your identical post in our other category as there is no need to make double posts - it just confuses things. One post is sufficient on Firewall.cx
Regarding your question, you need two things:
1) A Static NAT command
2) ACL's allowing traffic to pass between the two networks.
The static nat command you mentioned should be correct according to the information you've provided:
static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
The above command ensures that no NAT translation is performed for traffic from your INSIDE network toward the DMZ Zone. This effectively means that machines on your DMZ zone will see the requests coming from your internal lan IP range and try to reply back to them.
With Cisco ASA's, it is imperative that every NAT command is accompanied with its ACL - access lists, otherwise no traffic will be allowed over your ASA.
So, with that in mind, you need to create an access lists and apply it to your INSIDE interface.
For example:
access-list inside-in extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
The above should give you access to your DMZ from your LAN network.
Cheers,
I've removed your identical post in our other category as there is no need to make double posts - it just confuses things. One post is sufficient on Firewall.cx
Regarding your question, you need two things:
1) A Static NAT command
2) ACL's allowing traffic to pass between the two networks.
The static nat command you mentioned should be correct according to the information you've provided:
static(inside, dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
The above command ensures that no NAT translation is performed for traffic from your INSIDE network toward the DMZ Zone. This effectively means that machines on your DMZ zone will see the requests coming from your internal lan IP range and try to reply back to them.
With Cisco ASA's, it is imperative that every NAT command is accompanied with its ACL - access lists, otherwise no traffic will be allowed over your ASA.
So, with that in mind, you need to create an access lists and apply it to your INSIDE interface.
For example:
access-list inside-in extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
The above should give you access to your DMZ from your LAN network.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
15 years 5 months ago #30992
by chidimaar
Replied by chidimaar on topic Re: Query on DMZ implementation.
Thanks for the reply Chris !!
Let me get this right.
For traffic to flow between any two interfaces of firewall regardless of their security level, I must specify a NAT/no NAT along with a ACL permitting the traffic.
Pls correct me if I am wrong.
Thanks.
Let me get this right.
For traffic to flow between any two interfaces of firewall regardless of their security level, I must specify a NAT/no NAT along with a ACL permitting the traffic.
Pls correct me if I am wrong.
Thanks.
15 years 5 months ago #30995
by chidimaar
Replied by chidimaar on topic Re: Query on DMZ implementation.
Also with above query, currently I am not able to access the server on dmz from internet. I have bunch of public IP's provided to me by my ISP, out of which I am using one public IP for server so that it'll be accessible over internet.
As mentioned earlier, 192.168.10.0 /24 is my DMZ; and 192.168.10.5 is web server.
I have configured the required things like static NAT and access list:
static (dmz, outside) 124.x.y.z 192.168.10.5 netmask 255.255.255.255
access-list outside extended permit tcp any host 124.x.y.z eq https
access-list outside extended permit tcp any host 124.x.y.z eq ssh
access-list outside extended permit tcp any host 124.x.y.z eq http
access-group outside in interface outside
Unfortunately, I cannot share the complete ASA configuration here; will try to post if anything else is required.
Can anyone pls figure out what went wrong ?
I am really sorry about limited information. Let me know if i need to provide anything else.
Thanks.
As mentioned earlier, 192.168.10.0 /24 is my DMZ; and 192.168.10.5 is web server.
I have configured the required things like static NAT and access list:
static (dmz, outside) 124.x.y.z 192.168.10.5 netmask 255.255.255.255
access-list outside extended permit tcp any host 124.x.y.z eq https
access-list outside extended permit tcp any host 124.x.y.z eq ssh
access-list outside extended permit tcp any host 124.x.y.z eq http
access-group outside in interface outside
Unfortunately, I cannot share the complete ASA configuration here; will try to post if anything else is required.
Can anyone pls figure out what went wrong ?
I am really sorry about limited information. Let me know if i need to provide anything else.
Thanks.
15 years 4 months ago #31368
by faisal4u2
Replied by faisal4u2 on topic Re: Query on DMZ implementation.
The configuration is Perfectly fine.
You need to clear arp on your firewall as well as the arp entry to be cleared on ISP router.
Better is to reload your firewall and the modem or internet router after taking the downtime in your organization it willl work.
You need to clear arp on your firewall as well as the arp entry to be cleared on ISP router.
Better is to reload your firewall and the modem or internet router after taking the downtime in your organization it willl work.
Time to create page: 0.124 seconds