We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 625 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

406 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene

    I have the situation quite like your example.
    In your example, DMZ zone was assigned public IP, We can access from R1 to R3 (via NAT INSIDE_TO_DMZ) and R2 (via INSIDE_TO_OUTSIDE).
    If DMZ zone was assigned private IP address, DMZ want to public (need public ip range from outside interface), we use static nat or port forwarding to point to real server by private IP and some access-list on ASA1 then OUTSIDE can access DMZ.
    But How can INSIDE access to DMZ via public IP?

    Thanks

  2. Hi Dinh,

    If you want to access your DMZ server from the inside with its public IP address, then you’ll have to configure NAT. This is something I wouldn’t recommend, though…you can use the private IP address to reach the DMZ server from the inside.

    To give you an idea, here’s an example where I configure hairpinning for a server on the inside:

    https://networklessons.com/cisco/asa-firewall/cisco-asa-hairpin-internal-server/

    Rene

  3. Hi Zaman,

    Here’s how it works:

    ASA1(config)# object network SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200
    

    This basically does two things:

    • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
    • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

    We use this so a server on the INS

    ... Continue reading in our forum

  4. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

  5. Hello there,

    I am kind of new in networking field.
    I have configured ASA dynamic NAT with DMZ as per Unit 2.
    for some reason I can’t telnet into R2 and R3, gives me error “connection refused by remote host”
    if you can help me out please.
    thanks

25 more replies! Ask a question or join the discussion by visiting our Community Forum