Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
15
Helpful
5
Replies

Allowing certain outside IPs to enter DMZ

Go to solution
KCMM14457
Level 1
Level 1

‎02-19-2020 09:51 AM

Hello,

 

I have a DMZ setup for our new SFTP server. I'm trying to make it where only specific outside IPs can get into this sever. Do I need to create a NAT rule or ACL on our ASA5512? 

 

Thank you,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to KCMM14457

‎02-19-2020 12:04 PM

object network dmz-host-real
host 192.168.100.1
!
object network dmz-host-mapped
host 67.54.23.11
!

object-group network OUTSIDE_IP
network-object host 55.55.55.55
network-object host 22.22.22.22
!
nat (dmz,outside) source static dmz-host-mapped
!
access-list dmz_in extended permit tcp object-group OUTSIDE_IP object dmz-host-real eq ssh
access-group in interface dmz

 

 

above configuration change the name according to your needs.

please do not forget to rate.

View solution in original post

5 Replies 5

Go to solution
Sheraz.Salim
VIP
VIP

‎02-19-2020 10:01 AM - edited ‎02-19-2020 10:02 AM

 

you need nat rules and ACL both. now you only want specific ip addresses in that case here is the example

!

object network dmz-host-real

  host 192.168.100.1

!

object network dmz-host-mapped

 host 67.54.23.11

!

nat (dmz,outside) source static dmz-host-mapped

!

access-list dmz_in exten permit tcp host 55.55.55.55 object dmz-host-real eq 22

access-group in interface dmz

!

For example 55.55.55.55. is your specific outside public address which need access to SFTP server.

please do not forget to rate.

Go to solution
KCMM14457
Level 1
Level 1
In response to Sheraz.Salim

‎02-19-2020 10:57 AM

Since ill be have a few outside IPs that need to be allowed in, can you create an object group and then create an ACL to allow that group in? Right now I only have this ACL in place:
access-list inbound extended permit tcp any object SFTP_SERVER eq 22
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to KCMM14457

‎02-19-2020 11:09 AM - edited ‎02-19-2020 11:12 AM

yes you can do this.

!

object network dmz-host-real
host 192.168.100.1
!
object network dmz-host-mapped
host 67.54.23.11
!

object-group network OUTSIDE_IP
network-object host 55.55.55.55
network-object host 22.22.22.22
!
nat (dmz,outside) source static dmz-host-mapped
!
access-list dmz_in extended permit tcp object-group OUTSIDE_IP object dmz-host-real eq ssh
access-group in interface dmz
!

please do not forget to rate.

Go to solution
KCMM14457
Level 1
Level 1
In response to Sheraz.Salim

‎02-19-2020 11:18 AM

So where you have the access-list TEST, does TEST represent inbound like the ACL i have now or is it going to be the SFTP_SERVER?
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to KCMM14457

‎02-19-2020 12:04 PM

object network dmz-host-real
host 192.168.100.1
!
object network dmz-host-mapped
host 67.54.23.11
!

object-group network OUTSIDE_IP
network-object host 55.55.55.55
network-object host 22.22.22.22
!
nat (dmz,outside) source static dmz-host-mapped
!
access-list dmz_in extended permit tcp object-group OUTSIDE_IP object dmz-host-real eq ssh
access-group in interface dmz

 

 

above configuration change the name according to your needs.

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card