Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2154
Views
0
Helpful
16
Replies

How can we allow Internal Network to access DMZ network?

Go to solution
Beginnerrr
Level 1
Level 1

‎11-21-2023 03:50 AM - edited ‎11-21-2023 04:11 AM

Internal-DMZ.png
I am trying to configure the ASA to allow the Internal Network to access web service provided by DMZ web server which is on the DMZ network. Above is my network diagram.

In My ASA configuration.

 

interface e0/0
nameif inside
security-level 100
192.168.20.5 255.255.255.0
 
interface e0/1
nameif dmz
security-level 70
192.168.30.6 255.255.255.0
 
object network internal-network
subnet 192.168.20.0 255.255.255.0
 
object network dmz-server
host 192.168.30.200
 
access-list internal_web_in extended permit ip object internal-network object dmz-server eq www
access-group internal_web_in in interface inside
 
I am unable to access web service on the DMZ server from the Internal PC
 
Please kindly assist.
 
Thank you

 

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Beginnerrr

‎11-21-2023 04:03 AM

@Beginnerrr try this:-

packet-tracer input inside tcp 192.168.20.4 1025 192.168.30.200 80

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Beginnerrr

‎11-21-2023 04:24 AM

@Beginnerrr the packet-tracer output looks ok, it confirms no NAT and the ACL is working. Do the devices in the LAN and DMZ have the ASA IP address configured as the default gateway? Is there a local firewall enabled on the device in the DMZ?

How are you testing communication, by using a web browser to the IP address of the DMZ server or ping? If ping, then you need to explictly allow icmp replies or run the command fixup protocol icmp to enable icmp inspection.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Beginnerrr

‎11-21-2023 06:43 AM

@Beginnerrr for external network to access DMZ you would need a static NAT. (1-1 mapping). Typically, we use an address in the same subnet as the outside interface and translate the DMZ server IP to that address. You then also use an ACL to allow inbound traffic from outside to reach the DMZ server on the necessary listening port(s).

View solution in original post

0 Helpful
16 Replies 16

Go to solution
Rob Ingram
VIP
VIP

‎11-21-2023 03:55 AM

@Beginnerrr my initial guess is traffic is being NAT translated, do you have an NAT exemption rule in place to ensure traffic from the LAN to the DMZ is not unintentially translated?

You can run packet-tracer from the CLI to simulate the traffic flow from the LAN to the DMZ, provide the full output as this might provide a clue to the problem.

 

0 Helpful

Go to solution
Beginnerrr
Level 1
Level 1

‎11-21-2023 03:59 AM

@Rob Ingram , I have not configured any NAT commands on this. How do I achieve this?
Could you please advise on how to run packet-tracer?

Can I ask if it is like this?
packet-tracer input internal tcp 192.168.20.4 1025 192.168.30.200 80?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Beginnerrr

‎11-21-2023 04:03 AM

@Beginnerrr try this:-

packet-tracer input inside tcp 192.168.20.4 1025 192.168.30.200 80

0 Helpful

Go to solution
Beginnerrr
Level 1
Level 1
In response to Rob Ingram

‎11-21-2023 04:16 AM

@Rob Ingram, here is the output.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.30.200 using egress ifc dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internal_web_in in interface inside
access-list internal_web_in extended permit tcp object internal-network object dmz-server eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Beginnerrr

‎11-21-2023 04:24 AM

@Beginnerrr the packet-tracer output looks ok, it confirms no NAT and the ACL is working. Do the devices in the LAN and DMZ have the ASA IP address configured as the default gateway? Is there a local firewall enabled on the device in the DMZ?

How are you testing communication, by using a web browser to the IP address of the DMZ server or ping? If ping, then you need to explictly allow icmp replies or run the command fixup protocol icmp to enable icmp inspection.

0 Helpful

Go to solution
Beginnerrr
Level 1
Level 1
In response to Rob Ingram

‎11-21-2023 04:35 AM

@Rob Ingram ,

Thank to your solution, I was able to find that the firewall is enabled on DMZ web server. I have disabled the firewall and the local LAN is able to access the DMZ.

May I kindly ask on how to configure NAT for this internal and DMZ?
Please advise.

0 Helpful

Go to solution
Beginnerrr
Level 1
Level 1
In response to Rob Ingram

‎11-21-2023 06:10 AM - edited ‎11-21-2023 06:16 AM

@Rob Ingram ,

I am configuring dynamic NAT but as far as I know that there is no need to configure NAT between DMZ and Internal.

but for external network to access DMZ there is a need to configure NAT? How to achieve this? Would it be something like this?


nat (dmz,outside) after-auto source dynamic any interface

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Beginnerrr

‎11-21-2023 06:43 AM

@Beginnerrr for external network to access DMZ you would need a static NAT. (1-1 mapping). Typically, we use an address in the same subnet as the outside interface and translate the DMZ server IP to that address. You then also use an ACL to allow inbound traffic from outside to reach the DMZ server on the necessary listening port(s).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-21-2023 04:01 AM - edited ‎11-21-2023 04:04 AM

Remove the access list you use and check again.

The security level of inside is 100 and it higher than dmz 70 so the traffic will allow without acl.

How internal dns the ip of web? 

If you can use IP instead of web name in access.

0 Helpful

Go to solution
Beginnerrr
Level 1
Level 1
In response to MHM Cisco World

‎11-21-2023 04:17 AM

@MHM Cisco World ,

but the Internal network is classified as 100 while DMZ is classified as 70 or 50. I refer to this number in Cisco Academy.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Beginnerrr

‎11-21-2023 05:23 AM

Yes that why I suggest removing acl.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Beginnerrr

‎11-21-2023 05:33 AM - edited ‎11-21-2023 06:12 AM

MHM

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-21-2023 04:25 AM

Are you trying to access the server via its IP address or via a FQDN?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card