topic inside to access dmz in Network Security

inside to access dmz

prashantrecon — Mon, 11 Mar 2019 22:59:00 GMT

dmz -192.168.10.x inside -172.16.x.x.

192.168.10.x is natted to a public ip 202.x.x.x

for outside to access 192.168.10.x i have created accesslist with name out

static (inside,outside) 202.x.x.x 192.168.10.x netmask 255.255.255.255

access-list out extended permit tcp any host 202.x.x.x eq 80

access-group out in interface outside

if the nat control is not enabled than inside users will be able to acess the server by default

now nat control is enabled for inside users to access dmz server

static (dmz,inside) 192.168.10.x 192.168.10.x netmask 255.255.255.255

access-list dmz extended permit tcp any host 192.168.10.x eq 80

is the above access-list right ? where should the access-group shoul be applied on dmz or inside

inside to access dmz

Dan-Ciprian Cicioiu — Fri, 27 Apr 2012 07:58:10 GMT

Hi Prashant,

When nat-control is enabled, it enabled globally. This means that ANY higher level security level interface ( inside or dmz in your case ) require NAT in order to communicate with hosts with ANY lower level security level interface ( outside in your case ) . What I am tring to say is that the is not only the case of INSIDE , but also the DMZ interface.

Regarding you config, it not quite ok.As per requirements of nat-control DMZ is the lower level security interface in comparation with INSIDE.So you will need to source NAT the inside :

static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.255

This type of NAT is called identity nat, because the source is not actualy changed. This way you can bypass the nat-control requirement.

Dan

inside to access dmz

prashantrecon — Fri, 27 Apr 2012 08:20:08 GMT

Thanks

Is the access-list and access-group remains same.

Another thing if nat control is not enabled than

All the natted system in dmz should access the internet as they flow from higher interface to lower interface

Can I give the route on firewall as

route dmz 0.0.0.0 0.0.0.0 202.x.x.x(gateway)

Already there is default route for outside as

route outside 0.0.0.0 0.0.0.0 202.x.x.x

inside to access dmz

Dan-Ciprian Cicioiu — Fri, 27 Apr 2012 08:38:24 GMT

No. The access-list should be :

access-list dmz extended permit tcp any host 172.16.x.x eq 80

If you are trying to connect to 172.16.x.x destination por 80/TCP

But you didn't tell me what are you tring to access ? Where is the client where is the server application

As I see it, the client is in the INSIDE , the server is on DMZ, then the acl should be applied on inside :

access-list inside extended permit tcp any host 192.168.10.x eq 80

The routing in general is made after destination , so if you have already the route to the outside, then you do not need to do anything else regarding the routing. Nat-control does not have an impact to the routing table.

Dan