01-19-2012 06:56 PM - edited 03-11-2019 03:17 PM
Hi Jcarvaja all :
I have a doubt to confirm on below situation :
There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet.
The information of the IP address is as below :
Inside edge of the edge router : 192.168.20.2/24
Outside Network of Firewall ASA5505 : 192.168.20.0/24 with security level of 20
Outside Interface of the Firewall ASA5505 : 192.168.20.1/24
DMZ Network of the Firewall ASA5505 : 192.168.50.0/24 with secutity level of 50
Host at the DMZ : 192.168.50.10/24 with defination with the name of DMZ_Host
Static Mapped address of the Host at the DMZ to Outside Network: 192.168.20.10/24
1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them?
access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 --> allow outside to access dmz
access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80 --> allow web server to access dmz host
static (dmz,outside) 192.168.20.10 192.168.50.10 netmask 255.255.255.255 --> static mapped the dmz host to outside mapped address
route outside 0.0.0.0 0.0.0.0 192.168.20.2 --> static route of dmz network to internet
access-group Outside_DMZ in interface Outside --> applied the access list to firewall outside interface
2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80
whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?
thanks and regards,
tangsuan
Solved! Go to Solution.
01-19-2012 08:34 PM
Hello Tang,
Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...
So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.
On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.
Rate helpful posts!
Julio
01-19-2012 07:04 PM
Hello Tangsuan,
If you want to allow access from the outside server to the DMZ host on port 80 tcp( 192.168.50.10 nated on the outside to 192.168.20.10) you only need the following:
static (dmz,outside) 192.168.20.10 192.168.50.10
access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80
access-group Outside_DMZ in interface Outside
If you add the following:
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80
It could be a security thread as you will be allowing connection to the server on the DMZ from any on the outside unless this is what you are looking for ( access the server from anywhere on the outside)
Regards,
Julio
Rate helpful posts!
01-19-2012 08:02 PM
Hi Jcarvaja :
Thanks for your reply!
OK, I got the explanation of the thread, thanks!
I have doubt as below :
If below command :
access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0
is not added in, can the Web_server still able to access to the DMZ_Host? This is because in my understanding that the Web_server with public IP address will only route to the outside network of the firewall by the edge router.
Is it a need to add the above command so that firewall can allow the routed IP of this Web_server to access to the DMZ-Host?
thanks and regards,
tangsuan
01-19-2012 08:34 PM
Hello Tang,
Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...
So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.
On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.
Rate helpful posts!
Julio
01-19-2012 10:08 PM
Hi Jcarvaja :
Thanks for your answer.
You help a lot on all my questions.
This case will be closed as you already provided the correct answer.
regards,
tangsuan
01-19-2012 10:50 PM
Hello Tang,
Not a problem! Just let me know if you have any other questions.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide