Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3062
Views
0
Helpful
4
Replies

ASA 5510 DMZ without NAT

Go to solution
Ali Kraufvelin
Level 1
Level 1

‎03-03-2011 04:23 AM - edited ‎03-11-2019 01:00 PM

Hi,

i'm currently replacing my existing firewall environment with a Cisco ASA 5510 and got a question regarding DMZ.

I've currently set up like this:

Ethernet0/0 (outside) - Public static IP Address

Ethernet0/1 (inside) - LAN, internal ip addresses. Everything from here will be nat'd from the outside.

Ethernet0/2 (dmz) - DMZ with A class addresses which doesn't need NAT.

Do i have to setup somekind of nat for the dmz or will the addresses pass through automatically (granted that i have setup proper acl's for the access)? I got intra communication turned on.

Regards.

Andreas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to Ali Kraufvelin

‎03-03-2011 05:52 AM

Ok, I see. If you have your public IPs on devices on the DMZ then you can use a static NAT translation for that subnet, for example:

static (dmz,outside) 193.17.67.X 193.17.67.X netmask 255.255.255.X

Additionally you need ACLs to allow traffic from the outside to the DMZ, for example, allowing HTTP traffic:

access-list outside_in permit tcp any host 193.17.67.X eq 80

access-group outside_in in interface outside

If you have more ports to allow then start adding ACLs. For the traffic from DMZ to inside you will need another type of static translation so that DMZ users could reach the internal IPs.

I hope this helps

View solution in original post

0 Helpful
4 Replies 4

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-03-2011 04:43 AM

You want to allow traffix from the dmz to the inside and to the outside? Do you also need traffic from outside and inside to the dmz?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Ali Kraufvelin
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-03-2011 05:13 AM

I want to know if i need to set up nat for the dmz when i use "external" ip addresses on the dmz.

The DMZ interface have machines connected like 193.17.67.* they're not supposed to be nat, just put behind the firewall and have acl lists applied to them, what i wonder is: do i have to create nat rules in the fw for like 193.17.67.250 pointing to 193.17.67.250?

let's say i'm at home and want to connect to the server 193.17.67.250 which resides on my dmz (an actual machine with the same ip on my dmz) do i have to put in som extra config for this or will the outside interface just forward the packets to the dmz interface and the 193.17.67.250 machine? Also when i am at work using the machine and accessing services on the internet will the address 193.17.67.250 be used or will the address be the outside interface?

and yes i also need traffic from the outside to dmz hosts, some acl controlled traffic from certain hosts on the dmz to the inside and also traffic from  inside to the dmz.

Sorry if i'm confusing you

/andreas

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to Ali Kraufvelin

‎03-03-2011 05:52 AM

Ok, I see. If you have your public IPs on devices on the DMZ then you can use a static NAT translation for that subnet, for example:

static (dmz,outside) 193.17.67.X 193.17.67.X netmask 255.255.255.X

Additionally you need ACLs to allow traffic from the outside to the DMZ, for example, allowing HTTP traffic:

access-list outside_in permit tcp any host 193.17.67.X eq 80

access-group outside_in in interface outside

If you have more ports to allow then start adding ACLs. For the traffic from DMZ to inside you will need another type of static translation so that DMZ users could reach the internal IPs.

I hope this helps

0 Helpful

Go to solution
Ali Kraufvelin
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-03-2011 05:59 AM

Thank you! That answered my question.

/andreas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card