topic Creating Internal and external access in Network Security

Creating Internal and external access

jeffreydavy — Mon, 11 Mar 2019 22:48:59 GMT

I am using an ASA versions below:

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

I have been tasked with enabling access from our internal networks to servers that are hosted on the DMZ and NATed to external clients.

How do I do this? The DMZ is not an internal routable network so do I use another NAT somehow ?

How do I propergate the DMZ server across the internal network ?

Thanks

Creating Internal and external access

varrao — Fri, 30 Mar 2012 10:01:26 GMT

Hi Jeff,

Going by your description, I assume you have three interfaces on the ASA, outside, inside and DMZ.

If you would like to access the DMZ servers on public IP's from the inside interface, then you would need the following config:

static (DMZ,inside) 1.1.1.1 10.1.1.1

nat (inside) 1 0 0

global (DMZ) 1 interface

where 1.1.1.1 is the public ip and 10.1.1.1 is the private ip of server.

If you want to access DMZ servers on their original ip's only.

static (DMZ,inside) 10.1.1.0 10.1.1.0 mask 255.255.255.0

nat (inside) 1 0 0

global (DMZ) 1 interface

This should be the minimum required config, unless I didnt understand your setup correct, moreover can you tell me wat device you are using?? model number?? base or plus license??

Hope that helps.

Thanks,

Varun

Creating Internal and external access

jeffreydavy — Fri, 30 Mar 2012 11:01:58 GMT

Thank you for responding Varun, but I the DMZ network is not routable across our MPLS network so that is what I need to understand. Do I have to set up another NAT so that we can access the DMZ servers from anywhrere in our network? Even across the MPLS from other offices?

I am using an ASA 5510 ver 8.2(1)

running ASDM 6.2(1)

here are the interfaces

interface Ethernet0/0.10

description SE-GF1-CR-A Tranit

vlan 10

nameif Inside

security-level 100

ip address 10.116.10.5 255.255.255.0 standby 10.116.10.6

interface Ethernet0/0.666

description SE-GF1-CR-A Legacy

vlan 666

nameif Legacy

security-level 100

ip address 172.16.104.254 255.255.252.0 standby 172.16.104.1

interface Ethernet0/1

description SE-GF1-CR-A Gi1/0/4 Trunk

speed 1000

duplex full

no nameif

security-level 100

no ip address

interface Ethernet0/1.20

vlan 20

nameif DMZ

security-level 40

ip address 172.16.111.1 255.255.255.0 standby 172.16.111.2

interface Ethernet0/2

description SE-GF1-CR1-A connects to Tele2 ISP

speed 100

duplex full

no nameif

security-level 0

no ip address

interface Ethernet0/2.15

vlan 15

nameif Outside

security-level 0

ip address pix_outside 255.255.255.240 standby 212.247.51.2

interface Ethernet0/3

speed 100

duplex full

nameif Extern

security-level 0

ip address 212.247.51.17 255.255.255.240 standby 212.247.51.27

Creating Internal and external access

varrao — Fri, 30 Mar 2012 11:26:35 GMT

Hi Jeff,

Yes you would need to setup nat that I have suggested in my previous post, that would give you complete access to the servers from the inside interface. From anyother interface as well the config is going to the same, just chnage in the interface names.

Thanks,

Varun