topic Re: DMZ configuration in Network Security

DMZ configuration

chevymannie — Mon, 11 Mar 2019 14:39:22 GMT

I'm new to firewall configurations so I need a little clarity. I have an asa setup. My internal network is 192.168.0.0/24 and my dmz network is 10.0.0.0 /24. Now I need to know how to configure access from my internal network to my dmz network. We have a webserver and an ftp server on the same box there. I also have statics setup for outside access. I need to see an example DMZ acl and for some to explain it to me because I can't find documentation for it anywhere on the cisco site.

Re: DMZ configuration

sdoremus33 — Mon, 19 Jan 2009 22:03:46 GMT

Start with this page

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#DMZ2inside

So if your internal network is 192.168.0.0 and the dmx is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

so in your case it would be

nat (inside) 1 192.168.0.0 /* This is the inside subnet that needs to xlated and appear as a host on the 10.0.0.0 DMZ network

global (dmz) 1 interface /* This will take the src traffic (inside subnet) and xlate or present the src as the interface of the dmz subnet which will allow you to access the devices within your dmz.HTH

Since you are traversing from a higher security interface to a lower interface you do not need an ACL to specify the traffic,however if you require traffic from an outsideor dmz host access to insode resources then you will nedd an ACL first to permit the traffic then specify the static translation that will be stored in your xlate table

Re: DMZ configuration

sdoremus33 — Mon, 19 Jan 2009 22:10:55 GMT

So if your internal network is 192.168.0.0 and the dmz is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

ASA-Device name(config)# nat (inside) 1 192.168.0.0 255.255.0.0

ASA-Device-name(config)# global (DMZ) 1 interface. HTH

Re: DMZ configuration

chevymannie — Mon, 19 Jan 2009 22:19:07 GMT

Cool, so how would an acl for the dmz look for accessing a web server?

Re: DMZ configuration

sdoremus33 — Tue, 20 Jan 2009 02:13:46 GMT

So if you want to create an access-list in this situation where insode hosts access a server on the DMZ I believe you do the following not 100% sure though.

1. Create access-list for traffic

access-list insidetodmz permit tcp 192.168.0.0 255.255.0.0 (ip address of server on DMZ)eq 80

2. create the static nat entry baesd upon the acl

static (inside,dmz) (ip address of serveron dmz)(ip address of server on dmz) -- This is referred to as identity Nat

The reason I am doing identity Nat is because when you specified the traffic in the acl you are basically saying permit traffic source from (src) subnet 192.168.0.0 to (dst) ip address of server on DMZ.

Next what you have to do is use a static nat translation ( This basically adds an xlate entry in the database, also a conn entry is created to xlate traffic from the inside to the dmz), and because the acl permits traffic from 192.168.0.0 to (Nat server address), you are basically hiding your inside subnet(192.16.0.0) and presenting it as (ip address of the DMZ server you want to access).HTH

Re: DMZ configuration

sdoremus33 — Tue, 20 Jan 2009 02:59:15 GMT

I just wanted to make a couple more suggestions here

This step:incorporating acl + nat static cmd

So if your internal network is 192.168.0.0 and the dmz is 10.0.0.0 you would need to do something like this

1.Specify the source(s) of the traffic that must be translated.

ASA-Device name(config)# nat (inside) 1 192.168.0.0 255.255.0.0

ASA-Device-name(config)# global (DMZ) 1 interface. HTH

is not mutually exclusive with my last suggestion (acl + static nat)

So either do one or the other in your configuration as it will lead to undesireable results.

Also you need to keep in my mind the order in which nat statements occur, excerptr from cisco Pix book

If you configure several address translation operations, you might have some overlap between them. For example, the same local address might appear in more than one NAT definition. To resolve any ambiguity, the firewall evaluates the various types of NAT in the following order before creating an xlate entry:

NAT exemptions (nat 0 access-list commands)

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

Policy NAT (nat nat_id access-list commands)

Dynamic NAT and PAT (nat nat_id commands)

Re: DMZ configuration

sdoremus33 — Tue, 20 Jan 2009 03:03:47 GMT

One last note: forgotr to mention.

If you configure a static translation ie.....

static (inside,outside) x.x.x.x y.y.y.y where x.x.x.x = outside y.y.y.y = inside, it will create an xlate entry for both invound and outbound access.