01-30-2014 08:30 AM - edited 03-11-2019 08:38 PM
HI,
can you help me to access DMZ C2 host inside network, i can access from host C1(inside) to DMZ any service.
what configuration should be done to permit access from Inside to DMZ and DMZ to Inside for any service...
01-30-2014 08:33 AM
find the digrame
01-30-2014 08:54 AM
Hi,
The required configuraiton really depends on your current configuration.
If I were to presume that you have no interface ACLs configured then you will need an ACL configured on the DMZ interface since you need to allow traffic to a higher "security-level" interfaces networks.
Typically connections from DMZ to LAN are not allowed that broadly.
Since you are essentially asking to allow all traffic from DMZ to LAN and also need to allow traffic from DMZ to the external network then you could simply add
access-list DMZ-IN remark Allow all traffic from DMZ
access-list DMZ-IN permit ip
access-group DMZ-IN in interface DMZ
- Jouni
01-30-2014 08:32 PM
HI Jouni,
Thanks for the reply...
i have one query i add dynamic nat from inside to dmz & i can access dmz host...should i need to add nat from dmz to inside.
in log it is getting error there is no nat translation from dmz to inside....
suhas
01-30-2014 08:48 PM
Hello ,
NAT work in Bidirectional mode , e.g
Suppose you are doing Source NAT form Inside to DMZ . So for the trafiic comming from DMZ to Inside it works as Destination NAT.
And if you want to do Source NAT from DMZ to Inside , then u can do this by :
Doing Destination NAT from Inside to DMZ or Source NAT from DMZ to Inside.
Hope this helps you.
Thanks
01-30-2014 10:30 PM
Hi vishaw,
i am getting NAT transalation error in log.min i need to add nat from DMZ to INSIDE...right...?
suhas
01-30-2014 11:37 PM
Hello ,
If u had done Source NAT from inside to DMZ and you want source NAT from DMZ to inside, then u have to do NAT for DMZ to inside.
Also make sure that u had open the access for DMZ to inside as told by Jouni.
Thanks
01-31-2014 12:17 AM
Hello try this.
object network Inside-Source
range
object network DMZ-Source
range
object network Inside-Destination
range
object network DMZ-Destination
range
nat (inside,DMZ) source dyanmic Inside-Source DMZ-Destination destination Inside-Destination DMZ-Source
Try this...
Thanks
01-31-2014 04:06 AM
Hi
What software version are you using ?
As 8.3 and above wont require NAT for this to work.
Please post the current configuration of ASA
Cheers
Naveen
01-31-2014 04:50 AM
HI Naveen,
i have cisco PIX
i have remove that all config which i have configur for insid to dmz and dmz to inside traffic...
-Suhas
01-31-2014 05:54 AM
Suhas
You need a static NAT to go from DMZ to inside. Do you want to allow just C1 or the whole subnet that C1 is on ?
If just C1 then using 192.168.5.10 as C1's IP -
static (inside,DMZ) 192.168.5.10 192.168.5.10 netmask 255.255.255.255
if you want to be able access any inside host on the 192.168.5.0/24 network -
static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
Jon
01-31-2014 10:04 AM
HI Jon,
it will be work bidirectional..? DMZ to INSIDE and INSIDE to DMZ....for whole network..
should i add access-list in bothe site..?
-Suhas
01-31-2014 10:05 AM
Suhas
Yes, static NAT works both ways.
You would need an access list on the DMZ interface to go to the inside.
Edit - as already stated your acl also needs to allow DMZ traffic to the outside.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide