ā04-02-2012 11:30 PM - edited ā03-11-2019 03:49 PM
Server on dmz with private ip 10.10.10.10 mapped with ip 172.20.1.10
static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255
Is it inside users are going to access machine on dmz through outside interface ?
ā04-03-2012 01:13 AM
Hi,
Your INSIDE host can/will access the DMZ host with the IP address 172.20.1.10 from the INSIDE interface (provided you got the route for it OR default route points towards ASA which probably is the case)
Outside interface has nothing to do with the above configuration
- Jouni
EDIT: Had written DMZ instead of INSIDE at the start of the sentence.
ā04-03-2012 10:14 AM
What interface is 172.20.1.10 on?
If 172.20.1.10 is on the INSIDE interface, then any client requesting 172.20.1.10 coming into the firewall from the INSIDE interface would be able to hit the private IP (As long as ACL's allow it).
If 10.10.10.10 send data to the INSIDE, it will get converted to 172.20.1.10, but will not if it goes out another interface.
I hope this helps.
Scape
ā04-03-2012 10:26 AM
journiforss, both the inside and dmz are interfaces on the ASA, no routing is necessary right (as long as using version 8.43 or later)?
ā04-03-2012 11:03 AM
Hello Prashant,
As your nat says (DMZ,INSIDE) those 2 interfaces are the only ones involved on the communication from an inside host to the DMZ server.
That being said let me know if you need something else.
Do rate all the helpful posts
Julio
ā04-04-2012 12:05 AM
Hi
Is it inside users can access the dmz server with mapped address?
ā04-04-2012 12:09 AM
Hi,
With the NAT command you mentioned in the original post
static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255
You can access the DMZ server 10.10.10.10 from your INSIDE network with the mapped address of 172.20.1.10
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide