topic INSIDE TO DMZ in Network Security

INSIDE TO DMZ

pokemon284 — Tue, 12 Mar 2019 06:45:54 GMT

I want to access Web Server from inside. My Web server is located in DMZ (IP:192.168.4.11). So how to NAT and create ACLs???

P/s: my English is not good!!! 😄

HiIf you don't have an access

Henrik Grankvist — Sat, 17 Oct 2015 19:48:28 GMT

If you don't have an access-list on the inside interface and the security-level is higher on the inside interface than on the DMZ interface, you don't need to do anything.

If you have an access-list on the inside interface you will need to add an access-list entry to that access-list where you permit http traffic to 192.168.4.11. But this also depends on how your access-list is configured. The best way would be that you posted your access-list configuration.

You do not need any NAT statements for this.

Hi,In addition to what Henrik

mvsheik123 — Sat, 17 Oct 2015 19:55:28 GMT

Hi,

In addition to what Henrik suggested- the config depends on how you are planning to access the webserver.

From Inside : using webserver Internal IP : ASA code 8.2 and below: you need 'Static' statement.

Code 8.3 and above- You should be able to access without any issues.

From Inside: using public IP/URL of the webserver- You need DNS doctoring. Google for the same based on code.

Hth

I configed NAT and ACL for :

pokemon284 — Sun, 18 Oct 2015 01:45:06 GMT

I configed NAT and ACL for : Public WWW, DNS in dmz to the outside

What should I do to access WebServer in dmz from inside???

interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.0.100 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 192.168.4.10 255.255.255.0

dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network INSIDE-INTERNET
subnet 192.168.1.0 255.255.255.0
object network DMZ-INTERNET
subnet 192.168.4.0 255.255.255.0
object network WWW
host 192.168.4.11
object network DNS
host 192.168.4.11
access-list AB extended permit tcp any object WWW eq www
access-list AB extended permit udp any object DNS eq domain

!
object network INSIDE-INTERNET
nat (inside,outside) dynamic interface
object network DMZ-INTERNET
nat (dmz,outside) dynamic interface
object network WWW
nat (dmz,outside) static 192.168.0.99 service tcp www www
object network DNS
nat (dmz,outside) static 192.168.0.99 service udp domain domain
access-group AB in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.2 1