https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615520#M594316 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you're running 8.2.x and below you need a static NAT and an ACL:</P><P></P><P>static (dmz,outside) 213.140.0.9 213.140.0.9</P><P>access-list outside permit tcp any host 213.140.0.9 eq XXX</P><P></P><P>You need the static to create the NAT entry and the ACL to allow the ports needed. <BR />The ACL should be applied to the outside interface in the inbound direction.</P><P></P><P>Hope it helps.</P><P><BR />Federico.</P></BODY></HTML> Thu, 13 Jan 2011 17:35:27 GMT Federico Coto Fajardo 2011-01-13T17:35:27Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615519#M594314 <P>Hi,</P><P></P><P>i have a server in a DMZ configured with a direct public IP. What do i have to configure on the ASA so that the Server is reachable from outside and have internet access from the DMZ? It`s a Webserver and FTP Server.</P><P></P><P>For example:</P><P></P><P>INSIDE: 10.10.10.0 /24</P><P>DMZ: 213.140.0.9 /29</P><P></P><P>ASA DMZ Interface: 213.140.0.10</P><P>DMZ Server: 213.140.0.12</P><P></P><P>At the moment i`m not able to reach the internet or access from the internet the DMZ server. What steps do i have to configure in simple words for a beginner <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN></P><P></P><P>Thanks and best regards</P><P>Jason</P> Mon, 11 Mar 2019 19:34:48 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615519#M594314 born.jason 2019-03-11T19:34:48Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615520#M594316 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you're running 8.2.x and below you need a static NAT and an ACL:</P><P></P><P>static (dmz,outside) 213.140.0.9 213.140.0.9</P><P>access-list outside permit tcp any host 213.140.0.9 eq XXX</P><P></P><P>You need the static to create the NAT entry and the ACL to allow the ports needed. <BR />The ACL should be applied to the outside interface in the inbound direction.</P><P></P><P>Hope it helps.</P><P><BR />Federico.</P></BODY></HTML> Thu, 13 Jan 2011 17:35:27 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615520#M594316 Federico Coto Fajardo 2011-01-13T17:35:27Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615521#M594318 <HTML><HEAD></HEAD><BODY><P>Thanks Frederic.</P><P></P><P>And if i`m running Asa 8.3(1) ? How it looks like there?</P></BODY></HTML> Thu, 13 Jan 2011 18:32:49 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615521#M594318 born.jason 2011-01-13T18:32:49Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615522#M594319 <HTML><HEAD></HEAD><BODY><P>The concept is the same, but the syntax changes:</P><P></P><P>object network obj-213.140.0.9</P><P>host 213.140.0.9</P><P>nat (dmz,outside) static 213.140.0.9</P><P></P><P>In version 8.3, the ACL should reference to the real IP not the NATed one but it does not matter here since you're using the public IP directly.</P><P></P><P>Federico.</P></BODY></HTML> Thu, 13 Jan 2011 18:36:40 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615522#M594319 Federico Coto Fajardo 2011-01-13T18:36:40Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615523#M594320 <HTML><HEAD></HEAD><BODY><P>you mean network or the host?</P><P></P><P>object network obj-213.140.0.9</P><P><STRONG>network</STRONG> 213.140.0.9</P><P>nat (dmz,outside) static 213.140.0.9</P><P></P><P>or the DMZ host</P><P></P><P>object network obj-213.140.0.12</P><P><STRONG>host</STRONG> 213.140.0.12</P><P>nat (dmz,outside) static 213.140.0.12</P><P></P><P>and the ACL is the same and i have to assign it to the inside interface like you said in your first post?</P><P></P><P>access-list outside permit tcp any host 213.140.0.9 eq XXX</P></BODY></HTML> Thu, 13 Jan 2011 19:57:36 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615523#M594320 born.jason 2011-01-13T19:57:36Z https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615524#M594321 <HTML><HEAD></HEAD><BODY><P>That is correct. Since you are interested in accessing the host on a specific port, you can configure the object group with "host" keyword and then configure the STATIC NAT. In the access-list, you can allow access to specific ports. One thing you need to remember is some of the early 8.3 versions have Proxy ARP issues related to identity NAT (the way you are doing it). If your configuration did not work, then try configuring private IP on the DMZ and statically map it to a public IP on the outside and see if that helps (when you do this, in your access-list, you need to allow access to the real IP i.e. private IP).</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Thu, 13 Jan 2011 22:55:32 GMT https://community.cisco.com/t5/network-security/host-inside-dmz-with-a-public-ip-configured-no-access-to-outside/m-p/1615524#M594321 Nagaraja Thanthry 2011-01-13T22:55:32Z