Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
3
Replies

nat dmz to inside

ivan.martin
Level 1
Level 1

‎03-14-2012 09:36 PM - edited ‎03-11-2019 03:42 PM

Hello my name is Ivan:

I have a cisco asa 5520 ios 8.2. This is my configuration

asa# sh run name

name 192.168.1.2 HOST-DMZ

name 10.24.1.8 HOST-LAN

asa# sh run nat

nat (inside) 1 10.24.1.0 255.255.255.0

nat (dmz) 1 192.168.1.0 255.255.255.255.0

asa# sh run global

global (dmz) 1 1 interface

global (outside) 1 interface

asa# sh sh run static

static (inside,outside) 172.24.10.4 10.24.1.8 netmask 255.255.255.255

static (dmz,outside) 172.24.10.5 192.168.1.2 netmask 255.255.255.255

static (dmz,inside) 10.24.1.8 192.168.1.2 netmask 255.255.255.255.

asa# sh run access-list

access-list ACLS-RED-LAN  permit ip host 10.24.1.8 any log

access-list ACLS-RED-DMZ permit ip host 192.168.1.2 any log

access-list ACLS-RED-OUTSIDE any permit ip host 172.24.10.4 log

access-list ACLS-RED-OUTSIDE any permit ip host 172.24.10.5 log

access-group ACLS-RED-LAN in interface inside

access-group ACLS-RED-DMZ in interface dmz

access-group ACLS-RED-OUTSIDE in interface outside

Acoording it, i can access in the two host from:

inside to outside...OK

inside to dmz.......OK

outside to inside...OK

outside to dmz.....OK

But i can not access from DMZ to INSIDE. Please could you give me and advice to resolv it.

Thanks Regards

Ivan

Labels:
0 Helpful
3 Replies 3

Dan-Ciprian Cicioiu
Level 7
Level 7

‎03-14-2012 10:47 PM

Hi Ivan ,

Please paste : sh run nat-control

If nat-control is enabled you will need one more static for the server on the inside :

static (inside,dmz) 192.168.1.8 10.24.1.8

And you will access the inside host from dmz as 192.168.1.8 - if 192.168.1.8 is already used in your setup , then change it.

Regards

Dan

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-14-2012 11:22 PM

So Ivan,

DMZ to inside is usually traffic flowing from lower to higher so you need a biderectional nat rule:

Please try the following:

static (inside,dmz)  10.24.1.0  10.24.1.0

Then configure an acl on the DMZ

access-list dmz permit ip any 10.24.1.0 255.255.255.0

access-group dmz in interface dmz

Of course I am being general, you can be as restrictive as you want with the NAT and the ACLs.

Do rate all the helpful posts

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ivan.martin
Level 1
Level 1
In response to Julio Carvajal

‎03-15-2012 09:24 PM

Hello Julio

According your advice, when i configure static (inside,dmz) 10.24.1.8 10.24.1.8, i cannot access from dmz to outside

MAybe another advice?

Thanks

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card