We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

303 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Notable Replies

  1. Hi Dinh,

    If you want to access your DMZ server from the inside with its public IP address, then you'll have to configure NAT. This is something I wouldn't recommend, though...you can use the private IP address to reach the DMZ server from the inside.

    To give you an idea, here's an example where I configure hairpinning for a server on the inside:

    https://networklessons.com/cisco/cisco-asa/cisco-asa-hairpin-internal-server/

    Rene

  2. ASA1(config)# object network DMZ_POOL
    ASA1(config-network-object)# range 192.168.3.100 192.168.3.100

    ==== is this supposed be 200 Please correct me if i am wrong

    as the translated address is 192.168.3.146

  3. config t
    interface gi0/0
    ip address 1.2.3.4 255.255.255.0
    
    nameif outside
    interface gi0/1
    ip address 192.168.10.1 255.255.255.0
    nameif inside
    
    interface gi0/3
    ip address 172.28.0.2 255.255.255.0
    nameif dmz
    security level 50 
    
     object network LAN
    subnet 192.168.10.0 255.255.255.0
    
    object network DMZ
    host 172.28.0.15
    
    object_group service Dmz_ports
    service-object destiantion TCP eq 80
    service-object destination TCP eq 443
    
    object network DMZ
    NAT(outside,dmz) static 1.2.3.4 service tcp 80 80 
     
    network object DMZ
    NAT(outside,dmz) static 1.2.3.4 service tcp 443 443
    
    access_list out_acz_in permit object Dmz_ports any object DMZ  
    access-group out_acz_in in interface outside

    Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http...,

    So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

    for any other traffic use the below acess-list as appropriate

    //ALLOW access all ports from DMZ to INSIDE
    
    access-list dmz_acz permit ip object dmz object inside 
    access-group dmz_acz in interface inside
    
    
    //Allow  access only port 443 from DMZ to INSIDE 
    
    access-list dmz_acz permit tcp object dmz object inside eq 443
    access-group dmz_acz in interface inside

    please let me know on results

  4. Hlw Rene,

    I am little bit confused about the two command when using NAT:

    nat(inside, outside)

    nat(outside,inside)

    Appreciate your nice clarification as always :slight_smile:

    br/
    zaman

  5. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

Continue the discussion forum.networklessons.com

19 more replies

Participants