Hi,

3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
If you have no nat-control enabled, then no need, if nat-cpontrol enabled, you would need it.
5) Is it necessary to permit traffic from DMZ to inside?
Yes, definitely.
6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only.

I have doubts on the above points.

1) What exactly is Nat-control?

2) What is the need to permit traffic from DMZ to inside.

3) "

Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only."

Webserver is publiching a webpage right? Also it is having a public IP address. So whenever we try to access that webpage it should go through internet, right?

If something like RDP it will go to through inside interface--ASA--DMZ interface -- webserver, right?

Is my concept is clear?

I am asking this because i need to get it clarified before implementaion.

Please advice

Thanks

Vipin

Hi Vipin,

Nat-control is a feature which when enabled on the ASA, would need transalation for every traffic on the ASA, if it is not enabled, you can just allow traffic through ACL.

Here's a reference guide for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

DMZ to inside access depends upon your requirement, if you don't need it, don't allow traffic. If you want traffic from inside to DMZ, that woudl be allowed by default.

To allow access to webpage on inside interface as well as from the internet, you would need to add two static commands:

lets say server public ip is 1.1.1.1 and private ip is 10.1.1.1

then:

static (dmz,outside) 1.1.1.1 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1

The traffic from inside interafce would go through the ASA only, and from outside it would come from internet and then go to DMZ.

Thats all you should need as far as Nat is concerned.

Hope that helps.

Thanks,

Varun

Hi ,

Got it.

My requirement is as below.

1) configure DMZ with a server.( this serve is used to  download data from other locations. i know the IP address of the other servers. they are publically available.)

2) Now this server is connected directly to a modem. So after DMZ creation also this will as this.

3) Need to access DMZ server from inside. By deault it is there right?

I will tell my plan. please suggest if it has any errors?

1) put the server in to DMZ interface

2) Configure a new network for DMZ

3) Configure static NAT for the server using static (dmz,outside) coammand

4) Permit rule for access this server from other servers

5) Permit static (inside,dmz) 192.168.1.0 192.168.1.0 for accessing DMZ server from inside host

Did i miss anything?

Please advice

Thanks

Vipin

Hi Vipin,

Yes, you are absolutely correct, as per your requirement, but just one thing, if your DMZ server is in the network 192.168.1.0 network, then you would need the following static:

static (dmz,inside) 192.168.1.0 192.168.1.0

Rest everything is good.

Thanks,

Varun

Hi,

static (dmz,inside) 192.168.1.0 192.168.1.0 is this required? my inside is in the range of 192.168.1.0. DMZ will be in the range of 192.168.2.0.

Please Advice

Thanks

No, Nat would not be required for Inside, you would just need nat for DMZ;

static (dmz,inside) 192.168.2.0 192.168.2.0

For inside, you would need:

nat (inside) 1 0 0

global (dmz) 1 interface

Try it and let me know, it shoudl work fine.

Thanks,

Varun

Please check the below scenario and configuration and let me know whether it will work or not

Assume my inside network is 192.168.1.0/24

          outside network is 199.199.7.64/29

          DMZ network is 192.168.2.0/24

   DMZ server IP address --> 192.168.2.2

please see the below configuration which i am planning to implement

===================================
1) Confiure interfaces,IP addresses
===================================

interface Ethernet0/0
description "Connection to LAN"
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description "Connection to outside"
nameif outside
security-level 0
ip address 199.199.7.66 255.255.255.248
!
interface Ethernet0/2
description "DMZ"
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0

=====================================
2)Configuring PAT for inside and default route
=====================================

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 199.199.7.65 1

=====================================
3) Configure static NAT for DMZ server
=====================================

static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255

=====================================
4)RUle to permit traffic from outside to DMZ server
=====================================

access-list OUTSIDE_INSIDE extended permit Ip any host 199.199.7.67
access-group OUTSIDE_INSIDE in interface outside

====================================
5)RUle to permit traffic from DMZ server to outside
====================================

access-list DMZ_OUTSIDE extended permit ip host 192.168.2.2 any
access-group DMZ_OUTSIDE in interface DMZ

====================================
6)No NAT from inside to DMZ and DMZ to inside
====================================

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

====================================================================================

I am having some questions also.

1) is this configurations are right?

2) Is there anything wrong in the title 5 and title 6 ( i mean configuration i mentioned above)

3) is there anything i need to configure ?

please advice........

Thanks
Vipin

Hi,

Thanks, i got it

So it will work right? Also are you aware of the port numbers used for signature update of trend micro antivirus?

If you do please specify.

Thanks

Vipin

Hi Vipin,

Are you talking about CSC module or IPS module, in both the cases updates atre done through port 80 and 443.

Thanks,

Varun

Hi,

I am not aware of these modules.  it would be great if you can share some information regarding these modules. in a normal case which will be the port numbers for virus signature update.

I am also searching for the portnumbers.

Thanks

Vipin

Hi Vipin,

These modules use port 80 mand 443 for signature updates and other anti-virus updates. CSC updates from the Trendmicro servers and IPS from Cisco sites.

CSC - Content Security Module.

It is used for filtering and blocking web traffic like smtp,ftp,https,http and pop3.

IPS - Intrusion Prevention module

It is used to detect any intrusion based upon specific patterns defined in signatures.

Here are the docs for the 2:

CSC:

http://www.cisco.com/en/US/products/ps6823/index.html

IPS:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cliguide.html

Hope that helps.

Thanks,

Varun

Hi,

No No Not this. I am having a seperate antivirus server. It is from Trend Micro.

Thanks for your help

Vipin