We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


303 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Notable Replies

  1. Hi Dinh,

    If you want to access your DMZ server from the inside with its public IP address, then you'll have to configure NAT. This is something I wouldn't recommend, though...you can use the private IP address to reach the DMZ server from the inside.

    To give you an idea, here's an example where I configure hairpinning for a server on the inside:



  2. ASA1(config)# object network DMZ_POOL
    ASA1(config-network-object)# range

    ==== is this supposed be 200 Please correct me if i am wrong

    as the translated address is

  3. config t
    interface gi0/0
    ip address
    nameif outside
    interface gi0/1
    ip address
    nameif inside
    interface gi0/3
    ip address
    nameif dmz
    security level 50 
     object network LAN
    object network DMZ
    object_group service Dmz_ports
    service-object destiantion TCP eq 80
    service-object destination TCP eq 443
    object network DMZ
    NAT(outside,dmz) static service tcp 80 80 
    network object DMZ
    NAT(outside,dmz) static service tcp 443 443
    access_list out_acz_in permit object Dmz_ports any object DMZ  
    access-group out_acz_in in interface outside

    Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http...,

    So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

    for any other traffic use the below acess-list as appropriate

    //ALLOW access all ports from DMZ to INSIDE
    access-list dmz_acz permit ip object dmz object inside 
    access-group dmz_acz in interface inside
    //Allow  access only port 443 from DMZ to INSIDE 
    access-list dmz_acz permit tcp object dmz object inside eq 443
    access-group dmz_acz in interface inside

    please let me know on results

  4. Hlw Rene,

    I am little bit confused about the two command when using NAT:

    nat(inside, outside)


    Appreciate your nice clarification as always :slight_smile:


  5. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

Continue the discussion forum.networklessons.com

19 more replies