topic shifting the servers from inside to DMZ in Network Security https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262260#M858562 <P>Hi all,</P><P>i have to make DMZ in my network already my servers are working in inside network, but now i have to shift these server to DMZ,</P><P>kindly look at my configuration and guide me with configuration how i can achieve this goal. Thanks</P><P>********************</P><P></P><P>ASA Version 8.0(4) </P><P>interface GigabitEthernet0/0 </P><P>nameif outside </P><P>security-level 0 </P><P>ip address 10.10.10.2 255.255.255.252 </P><P>interface GigabitEthernet0/1 </P><P>nameif Inside </P><P>security-level 100 </P><P>ip address 192.168.0.1 255.255.255.0 </P><P>interface GigabitEthernet0/2 </P><P>nameif DMZ </P><P>security-level 50 </P><P>ip address 192.168.100.1 255.255.255.0 </P><P>interface GigabitEthernet0/3 </P><P>description LAN Failover Interface </P><P>interface Management0/0 </P><P>nameif management </P><P>security-level 100 </P><P>ip address 192.168.1.1 255.255.255.0 </P><P>management-only </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777 </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any </P><P>access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any </P><P>access-list traffic_for_ips extended permit ip any any </P><P>access-list inside_access_all extended permit ip any any </P><P>access-list DMZ_access_all extended permit icmp any any </P><P>nat (Inside) 0 access-list nonat </P><P>nat (DMZ) 0 access-list nonatDMZ </P><P>static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 </P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_all in interface Inside</P><P>access-group DMZ_access_all in interface DMZ </P><P>route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 </P><P>: end </P><P>ASA# </P> Mon, 11 Mar 2019 15:56:51 GMT aamirkiani 2019-03-11T15:56:51Z shifting the servers from inside to DMZ https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262260#M858562 <P>Hi all,</P><P>i have to make DMZ in my network already my servers are working in inside network, but now i have to shift these server to DMZ,</P><P>kindly look at my configuration and guide me with configuration how i can achieve this goal. Thanks</P><P>********************</P><P></P><P>ASA Version 8.0(4) </P><P>interface GigabitEthernet0/0 </P><P>nameif outside </P><P>security-level 0 </P><P>ip address 10.10.10.2 255.255.255.252 </P><P>interface GigabitEthernet0/1 </P><P>nameif Inside </P><P>security-level 100 </P><P>ip address 192.168.0.1 255.255.255.0 </P><P>interface GigabitEthernet0/2 </P><P>nameif DMZ </P><P>security-level 50 </P><P>ip address 192.168.100.1 255.255.255.0 </P><P>interface GigabitEthernet0/3 </P><P>description LAN Failover Interface </P><P>interface Management0/0 </P><P>nameif management </P><P>security-level 100 </P><P>ip address 192.168.1.1 255.255.255.0 </P><P>management-only </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777 </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any </P><P>access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any </P><P>access-list traffic_for_ips extended permit ip any any </P><P>access-list inside_access_all extended permit ip any any </P><P>access-list DMZ_access_all extended permit icmp any any </P><P>nat (Inside) 0 access-list nonat </P><P>nat (DMZ) 0 access-list nonatDMZ </P><P>static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 </P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_all in interface Inside</P><P>access-group DMZ_access_all in interface DMZ </P><P>route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 </P><P>: end </P><P>ASA# </P> Mon, 11 Mar 2019 15:56:51 GMT https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262260#M858562 aamirkiani 2019-03-11T15:56:51Z Re: shifting the servers from inside to DMZ https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262261#M858564 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P> With this conf you wll not be able to access your servers from outside.</P></BODY></HTML> Tue, 21 Jul 2009 12:52:27 GMT https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262261#M858564 Jithesh K Joy 2009-07-21T12:52:27Z Re: shifting the servers from inside to DMZ https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262262#M858565 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I think the following lines are confusing:- </P><P></P><P>access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any</P><P>access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any</P><P>access-list traffic_for_ips extended permit ip any any</P><P>access-list inside_access_all extended permit ip any any</P><P>access-list DMZ_access_all extended permit icmp any any</P><P>nat (Inside) 0 access-list nonat</P><P>nat (DMZ) 0 access-list nonatDMZ</P><P>static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0</P><P></P><P>Can you tell me what are you planning to use this lines for???</P><P></P><P>to have your inside n/w access DMZ just enter below commands and it will work you dont need any other thing:</P><P></P><P>access-list inside_nat0 extended permit ip any 192.168.100.0 255.255.255.0 </P><P></P><P>nat(inside) 0 access-list inside_nat0</P><P></P><P>thts it this will server ur purpose and you will be able to access DMZ frm Inside</P><P></P><P>and to access DMZ frm Outside you need to create Static\Dynamic Natting as required.</P><P></P><P>Regards,</P><P>Hussain</P></BODY></HTML> Tue, 21 Jul 2009 13:21:29 GMT https://community.cisco.com/t5/network-security/shifting-the-servers-from-inside-to-dmz/m-p/1262262#M858565 hussain.ratlami 2009-07-21T13:21:29Z