topic Re: Access from dmz to internet, where internet and inside lan a in Network Security

Access from dmz to internet, where internet and inside lan are on same interface

ashish_kandari — Mon, 11 Mar 2019 18:21:57 GMT

I have a scenerio, my outside and inside network are connected via inside interface of my firewall pix. And dmz is connected via dmz. Inside has security level 100 and dmz has 40,

from dmz i can access inside lan, but not able to access internet. KIndly help.

Re: Access from dmz to internet, where internet and inside lan a

Nagaraja Thanthry — Fri, 06 Aug 2010 13:05:40 GMT

Hello,

Do you have NAT rules configured to access internet from DMZ?

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

In the above example, the outside interface IP address will be shared by

both the inside and dmz clients when going to internet. Please make sure

that you have something similar configured. Also you need to check the

following things:

-- There are no access-list entries on the DMZ to block internet connection

-- You have access to the DNS server (if DNS server is on the inside subnet,

please configure a static NAT rule for the DNS server)

-- If you are using ASA5505 with base license, you will not be able to

communicate between the inside and outside simultaneously.

Hope this helps,

Regards,

Re: Access from dmz to internet, where internet and inside lan a

ashish_kandari — Fri, 06 Aug 2010 13:06:01 GMT

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255 0 0

nat (dmz) 2 10.2.1.2 255.255.255.248 0 0
nat (dmz) 2 10.2.3.0 255.255.255.224 0 0
nat (dmz) 2 10.7.1.32 255.255.255.224 0 0
global (inside) 2 interface

will this help...

Re: Access from dmz to internet, where internet and inside lan a

Nagaraja Thanthry — Fri, 06 Aug 2010 13:12:41 GMT

Hello,

Few concerns:

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This statement seems to be incorrect.

global (inside) 2 interface

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless

they are some servers. If you were trying to map the DNS server, your first

statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes

care of it.

Hope this helps.

Regards,

Re: Access from dmz to internet, where internet and inside lan a

ashish_kandari — Fri, 06 Aug 2010 13:16:46 GMT

but i dont have any outside interface configured.....

Outside- router---inside --firewall---dmz.

Outside and inside are on same side of firewall...

this config :

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

I thnk as traffic is movig from lower to higher security level, we need a static nat.

But how can i use a static nat for all internet address, there is no option of wild card in static nat..

thanks in advance..

ashish

Re: Access from dmz to internet, where internet and inside lan a

ashish_kandari — Fri, 06 Aug 2010 13:20:35 GMT

static (dmz,inside) 10.0.0.0 10.1.1.1 netmask 255.255.255.255

This is becoz..dmz and inside are using approx same kind of ip range means.. 10.*.*

becoz of this command access from dmz to inside is possible, but not towards internet......

In my firewall outside interface traffic is not even reaching,.. its getting dead before it.. some natting issue.

This statement seems to be incorrect.

global (inside) 2 interface

want to so that it will take inside ip addresss to go to internet...

Why are you mapping DMZ traffic to inside interface IP?

You do not need to statically map DMZ addresses to inside address unless
they are some servers. If you were trying to map the DNS server, your first
statement (static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0) takes
care of it.

Re: Access from dmz to internet, where internet and inside lan a

Nagaraja Thanthry — Fri, 06 Aug 2010 13:26:10 GMT

Hello,

In that case, you can disable NAT control and remove the existing NAT

configurations.

ASA#configure terminal

ASA(config)#no nat-control

ASA(config)#clear configure nat

ASA(config)#clear configure global

ASA(config)#clear configure static

Since you have disabled the NAT requirement, all traffic will go to your

outside router without any NAT. Make sure that the outside router has a rule

to accommodate DMZ subnets in the NAT pool.

Hope this helps.

Regards,

Re: Access from dmz to internet, where internet and inside lan a

ashish_kandari — Fri, 06 Aug 2010 13:30:11 GMT

i can check that, but for that i will need down time... as some connection will also dro

p.. second thing.... for traffic from lower to higher security level, dont we need static nat. ......

Re: Access from dmz to internet, where internet and inside lan a

Nagaraja Thanthry — Fri, 06 Aug 2010 13:40:11 GMT

Hello,

You do not need any NAT rule when you are going from lower security

interface to higher security interface.

Regards,