Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
4
Helpful
3
Replies

inside to access dmz

prashantrecon
Level 1
Level 1

‎04-27-2012 12:22 AM - edited ‎03-11-2019 03:59 PM

dmz -192.168.10.x      inside -172.16.x.x.

192.168.10.x is natted to a public ip 202.x.x.x

for outside to access 192.168.10.x i have created accesslist with name out

static (inside,outside) 202.x.x.x 192.168.10.x netmask 255.255.255.255

access-list out extended permit tcp any host 202.x.x.x eq 80

access-group out in interface outside

if the nat control is not enabled than inside users will be able to acess the server by default

now nat control is enabled for inside users to access dmz server

static (dmz,inside) 192.168.10.x 192.168.10.x netmask 255.255.255.255

access-list dmz extended permit tcp any host 192.168.10.x eq 80

is the above access-list right ? where should the access-group shoul be applied on dmz or inside

Labels:
0 Helpful
3 Replies 3

Dan-Ciprian Cicioiu
Level 7
Level 7

‎04-27-2012 12:58 AM

Hi Prashant,

When nat-control is enabled, it enabled globally. This means that ANY higher level security level interface ( inside or dmz in your case ) require NAT in order to communicate with hosts with ANY lower level security level interface ( outside in your case ) . What I am tring to say is that the is not only the case of INSIDE , but also the DMZ interface.

Regarding you config, it not quite ok.As per requirements of nat-control DMZ is the lower level security interface in comparation with INSIDE.So you will need to source NAT the inside :

static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.255

This type of NAT is called identity nat, because the source is not actualy changed. This way you can bypass the nat-control requirement.

Dan

0 Helpful

prashantrecon
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎04-27-2012 01:20 AM

Thanks

Is the access-list and access-group remains same.

Another thing if nat control is not enabled than

All the natted system in dmz should access the internet  as they flow from higher interface to lower interface

Can I give the route on firewall as

route dmz 0.0.0.0 0.0.0.0 202.x.x.x(gateway)

Already there is default route for outside as

route outside 0.0.0.0 0.0.0.0 202.x.x.x

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to prashantrecon

‎04-27-2012 01:38 AM

No. The access-list should be :

access-list dmz extended permit tcp any host 172.16.x.x eq 80

If you are trying to connect to 172.16.x.x destination por 80/TCP

But you didn't tell me what are you tring to access ? Where is the client where is the server application

As I see it, the client is in the INSIDE , the server is on DMZ, then the acl should be applied on inside :

access-list inside extended permit tcp any host 192.168.10.x eq 80

The routing in general is made after destination , so if you have already the route to the outside, then you do not need to do anything else regarding the routing. Nat-control does not have an impact to the routing table.

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card