Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
5
Replies

host inside DMZ with a public IP configured - no access to outside

born.jason
Level 1
Level 1

‎01-13-2011 09:25 AM - edited ‎03-11-2019 12:34 PM

Hi,

i have a server in a DMZ configured with a direct public IP. What do i have to configure on the ASA so that the Server is reachable from outside and have internet access from the DMZ? It`s a Webserver and FTP Server.

For example:

INSIDE: 10.10.10.0 /24

DMZ: 213.140.0.9 /29

ASA DMZ Interface: 213.140.0.10

DMZ Server: 213.140.0.12

At the moment i`m not able to reach the internet or access from the internet the DMZ server. What steps do i have to configure in simple words for a beginner

Thanks and best regards

Jason

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-13-2011 09:35 AM

Hi,

If you're running 8.2.x and below you need a static NAT and an ACL:

static (dmz,outside) 213.140.0.9 213.140.0.9

access-list outside permit tcp any host 213.140.0.9 eq XXX

You need the static to create the NAT entry and the ACL to allow the ports needed.
The ACL should be applied to the outside interface in the inbound direction.

Hope it helps.


Federico.

0 Helpful

born.jason
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-13-2011 10:32 AM

Thanks Frederic.

And if i`m running Asa 8.3(1) ? How it looks like there?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to born.jason

‎01-13-2011 10:36 AM

The concept is the same, but the syntax changes:

object network obj-213.140.0.9

host 213.140.0.9

nat (dmz,outside) static 213.140.0.9

In version 8.3, the ACL should reference to the real IP not the NATed one but it does not matter here since you're using the public IP directly.

Federico.

0 Helpful

born.jason
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-13-2011 11:57 AM

you mean network or the host?

object network obj-213.140.0.9

network 213.140.0.9

nat (dmz,outside) static 213.140.0.9

or the DMZ host

object network obj-213.140.0.12

host 213.140.0.12

nat (dmz,outside) static 213.140.0.12

and the ACL is the same and i have to assign it to the inside interface like you said in your first post?

access-list outside permit tcp any host 213.140.0.9 eq XXX

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to born.jason

‎01-13-2011 02:55 PM

That is correct. Since you are interested in accessing the host on a specific port, you can configure the object group with "host" keyword and then configure the STATIC NAT. In the access-list, you can allow access to specific ports. One thing you need to remember is some of the early 8.3 versions have Proxy ARP issues related to identity NAT (the way you are doing it). If your configuration did not work, then try configuring private IP on the DMZ and statically map it to a public IP on the outside and see if that helps (when you do this, in your access-list, you need to allow access to the real IP i.e. private IP).

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card