03-30-2012 02:50 AM - edited 03-11-2019 03:48 PM
I am using an ASA versions below:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
I have been tasked with enabling access from our internal networks to servers that are hosted on the DMZ and NATed to external clients.
How do I do this? The DMZ is not an internal routable network so do I use another NAT somehow ?
How do I propergate the DMZ server across the internal network ?
Thanks
03-30-2012 03:01 AM
Hi Jeff,
Going by your description, I assume you have three interfaces on the ASA, outside, inside and DMZ.
If you would like to access the DMZ servers on public IP's from the inside interface, then you would need the following config:
static (DMZ,inside) 1.1.1.1 10.1.1.1
nat (inside) 1 0 0
global (DMZ) 1 interface
where 1.1.1.1 is the public ip and 10.1.1.1 is the private ip of server.
If you want to access DMZ servers on their original ip's only.
static (DMZ,inside) 10.1.1.0 10.1.1.0 mask 255.255.255.0
nat (inside) 1 0 0
global (DMZ) 1 interface
This should be the minimum required config, unless I didnt understand your setup correct, moreover can you tell me wat device you are using?? model number?? base or plus license??
Hope that helps.
Thanks,
Varun
03-30-2012 04:01 AM
Thank you for responding Varun, but I the DMZ network is not routable across our MPLS network so that is what I need to understand. Do I have to set up another NAT so that we can access the DMZ servers from anywhrere in our network? Even across the MPLS from other offices?
I am using an ASA 5510 ver 8.2(1)
running ASDM 6.2(1)
here are the interfaces
interface Ethernet0/0.10
description SE-GF1-CR-A Tranit
vlan 10
nameif Inside
security-level 100
ip address 10.116.10.5 255.255.255.0 standby 10.116.10.6
interface Ethernet0/0.666
description SE-GF1-CR-A Legacy
vlan 666
nameif Legacy
security-level 100
ip address 172.16.104.254 255.255.252.0 standby 172.16.104.1
!
interface Ethernet0/1
description SE-GF1-CR-A Gi1/0/4 Trunk
speed 1000
duplex full
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.20
vlan 20
nameif DMZ
security-level 40
ip address 172.16.111.1 255.255.255.0 standby 172.16.111.2
!
interface Ethernet0/2
description SE-GF1-CR1-A connects to Tele2 ISP
speed 100
duplex full
no nameif
security-level 0
no ip address
!
interface Ethernet0/2.15
vlan 15
nameif Outside
security-level 0
ip address pix_outside 255.255.255.240 standby 212.247.51.2
!
interface Ethernet0/3
speed 100
duplex full
nameif Extern
security-level 0
ip address 212.247.51.17 255.255.255.240 standby 212.247.51.27
03-30-2012 04:26 AM
Hi Jeff,
Yes you would need to setup nat that I have suggested in my previous post, that would give you complete access to the servers from the inside interface. From anyother interface as well the config is going to the same, just chnage in the interface names.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide