Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1080
Views
0
Helpful
6
Replies

DMZ Zone

Go to solution
saroj pradhan
Level 1
Level 1

‎03-12-2014 11:17 PM - edited ‎03-11-2019 08:56 PM

Hi  ,

 

i have  created  a  DMZ  Zone  on the cisco ASA 5510 Firewall.  The  DMZ  is  using public  IP Address .

able  to  access internet from the DMZ Zone. But   unable  to   access the server from  inside to the dmz zone.

please suggest command  to  allow  access of  the inside  network  to  the dmz  network,

 

Regards,

Saroj

 

 

Also  please suggest   allow  from  internet  access the dmz  server.

 

Regards,

Saroj

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-13-2014 12:12 AM

  1. If you have an ACL on the inside interface, then you need an ACE for the traffic.
  2. The traffic from inside to the DMZ has to be exempted from NAT. The config-syntax depends on the version of the ASA, but you don't tell us which version you are running.

For ASA up to 8.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1077621

For ASA 8.3+:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#wp1232160

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎03-13-2014 12:12 AM

  1. If you have an ACL on the inside interface, then you need an ACE for the traffic.
  2. The traffic from inside to the DMZ has to be exempted from NAT. The config-syntax depends on the version of the ASA, but you don't tell us which version you are running.

For ASA up to 8.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1077621

For ASA 8.3+:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#wp1232160

0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to Karsten Iwen

‎03-13-2014 03:39 AM

Hi , as i am using Public ip address of the server in the DMZ Zone. please suggest command to allow from internet the access of server. Regards, Saroj
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to saroj pradhan

‎03-13-2014 05:33 AM

The following ACL allows any HTTP- and HTTPS-traffic to your DMZ-server (192.0.2.80 in my example):

access-list OUTSIDE-IN permit tcp any host 192.0.2.80 eq 80

access-list OUTSIDE-IN permit tcp any host 192.0.2.80 eq 443

That ACL needs to be applied to the outside interface:

access-group OUTSIDE-IN in interface outside

If there is already an ACL on the outside interface, that use that ACL instead.

0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to Karsten Iwen

‎03-18-2014 12:11 AM

Hi ,

 

Thanks  for  the reply.  The  DMZ  server is  accessable  from internet. But  still the server  unable  to access from  Inside  interface. Encloesd  please  find  my  ASA config  and  help .

Does  it  need  any  routing also.?

 

Regards,

Saroj

0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to saroj pradhan

‎03-18-2014 03:27 AM

Hi,

 

now  i have  configured  the nat  exampt  and  able  to  ping  the DMZ Server from  Inside  of  the ASA Fireawll  but  unable  to  access the Server on  port 80.

please advice.

Regards,

Saroj

0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to saroj pradhan

‎03-18-2014 03:56 AM

Hi  ,

i am  trying  to access the web server  122.168.191.226   from  my PC 172.16.48.111  on port  but  unable   to  access .i  run a  command  packet-tracer input inside tcp 172.16.48.111 12345 122.168.191.226 80  .Encloesd  the report  and  please advice.

 

Regards,

Saroj


 

Preview file
3 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card