topic Re: enable an external acces to server on DMZ in Network Security

enable an external acces to server on DMZ

Junior Mateus — Mon, 11 Mar 2019 20:17:20 GMT

Hi everybody,

i' m a new on administration of ASA, i'' ve one appliance ASA 5510, v8.X and asdm 6X

here u have my configuration :

interface Ethernet0/0
description Link To WAN
nameif outside
security-level 0
ip address 212.96.23.186 255.255.255.252
!
interface Ethernet0/1
description Link to LAN(forefront)
nameif inside
security-level 100
ip address 10.20.80.1 255.255.255.252
!
interface Ethernet0/2
description Link to CoreSW (DMZ)
nameif DMZ
security-level 50
ip address 10.70.70.254 255.255.255.0

i have on server ssh (10.70.70.10) on my DMZ .

I wan to enable my external user, i mean outside user to be able to acces to this server wich is in my DMZ for this port ( ssh)

I need some propositions Script wich can permit me to do this

Thank u in advance

Re: enable an external acces to server on DMZ

IAN WHITMORE — Wed, 06 Apr 2011 11:10:24 GMT

Well the simplest form is to use a static nat and then allow ssh in your ACL. Normally you would "publish" your server on the internet. First you need to reserve and assign a public IP address in your range (if you have one free).

For exmaple:

static (DMZ, outside) 212.96.23.x 10.70.70.10 netmask 255.255.255.255

Then allow ssh in your outside access-list (depending on the name of your access-list):

access-list outside permit tcp any host 10.70.70.10 eq ssh

Of course if your "public" user has a fixed IP address then it would be better to change "any" for his address to be more secure.

If you don't have any spare public IP addresses you can always use port redirection instead.

HTH,

Ian

Re: enable an external acces to server on DMZ

Junior Mateus — Wed, 06 Apr 2011 14:24:42 GMT

thank you IAN for

you answer is true.. suppose that i have just one public Ip wich is in my outside interface

how can i use the PAR ( Port address Redirection) for ssh, because the ASA also use ssh .

I test the script you give me it working but .. is the ASA which respond me on SSH

i change the server port of ssh on 1080 for don't have this conflict port.

i think you second idea it's better for port redirection , how can i used it if my server is 1080 for example

Re: enable an external acces to server on DMZ

IAN WHITMORE — Thu, 07 Apr 2011 07:24:06 GMT

You don't need to change the server port. It should be like this:

static (DMZ, outside) tcp 212.96.23.x 2022 10.70.70.10 22 netmask 255.255.255.255

What you are saying here is:

Take the tcp connections to ip 212.96.23.x port 2022 and translate them to ip 10.70.70.10 port 22.

Then, the external user should try to ssh obviously to the non-standard port 2022 from the public network.

Regards,

Ian

Re: enable an external acces to server on DMZ

Junior Mateus — Thu, 07 Apr 2011 08:46:49 GMT

thank u IAN ..i' ll do it like this