We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

314 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. pbyrne says:

    Hi Sims,

    Below is part of the config and yes it does require that the lan is natt'd to the DMZ_POOL.
    You could also use no-natcontrol which exempts you from having to do nat across the asa's interfaces.

    object network INSIDE_TO_DMZ
    subnet 192.168.1.0 255.255.255.0
    nat (INSIDE,DMZ) dynamic DMZ_POOL
  2. config t
    interface gi0/0
    ip address 1.2.3.4 255.255.255.0
    
    nameif outside
    interface gi0/1
    ip address 192.168.10.1 255.255.255.0
    nameif inside
    
    interface gi0/3
    ip address 172.28.0.2 255.255.255.0
    nameif dmz
    security level 50 
    
     object network LAN
    subnet 192.168.10.0 255.255.255.0
    
    object network DMZ
    host 172.28.0.15
    
    object_group service Dmz_ports
    service-object destiantion TCP eq 80
    service-object destination TCP eq 443
    
    object network DMZ
    NAT(outside,dmz) static 1.2.3.4 service tcp 80 80 
     
    network object DMZ
    NAT(outside,dmz) static 1.2.3.4 service tcp 443 443
    
    access_list out_acz_in permit object Dmz_ports any object DMZ  
    access-group out_acz_in in interface outside

    Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http...,

    So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

    for any other traffic use the below acess-list as appropriate

    //ALLOW access all ports from DMZ to INSIDE
    
    access-list dmz_acz permit ip object dmz object inside 
    access-group dmz_acz in interface inside
    
    
    //Allow  access only port 443 from DMZ to INSIDE 
    
    access-list dmz_acz permit tcp object dmz object inside eq 443
    access-group dmz_acz in interface inside

    please let me know on results

  3. Hi Zaman,

    Here's how it works:

    ASA1(config)# object network SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200

    This basically does two things:


    • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.

    • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

    We use this so a server on the INSIDE is reachable from the OUTSIDE. We also use NAT (INSIDE,OUTSIDE) so that multiple hosts can access the Internet through a single public IP address.

    Now let's look at another example:

    ASA1(config)# object network DNS_SERVER
    ASA1(config-network-object)# host 8.8.8.8
    ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.1.8

    Here's what it means:


    • When a packet enters the OUTSIDE and exits the INSIDE, and the source IP address is 8.8.8.8 then we translate the source address to 192.168.1.8.

    • When a packet enters the INSIDE and exits the OUTSIDE, and the destination IP address is 192.168.1.8 then we translate the destination address to 8.8.8.8.

    This can be useful if you want hosts to be able to reach some external server using an internal IP address. When an internal host tries to reach 192.168.1.8, then it will be translated to 8.8.8.8 (Google DNS).

    Hope this helps!

    Rene

  4. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

  5. Hi Hoan,

    That is correct, it is permitted because you go from a higher to a lower security level. If you want to block this, you have to use an access-list. I have an example here:

    Look for the "deny traffic from inside" section.

    Rene

19 more replies! Ask a question or join the discussion by visiting our Community Forum