09-04-2010 04:51 PM - edited 03-11-2019 11:35 AM
Hi Community,
I've an Cisco ASA 5520 with following interfaces setup:
Outside (0) 78.93.*.*
Inside ( 100) 10.1.2.20
Now I am planning to setup dmz and there will be webserver in that zone
I need help for two things:
1. How do I allow people accessing this webserver from Public Network
2, How do I allow only my pc residing in inside network to access this server and vice versa
Any will would be highly appreciated.
Solved! Go to Solution.
09-04-2010 05:00 PM
Hi,
Normally this is what you'll have:
inside = security level 100
outside = security level 0
dmz = security level 50
To allow traffic from outside to dmz you need:
static (dmz,outside) public_IP private_IP --> public_IP is the NATed IP for the web server and private_IP is the real IP
access-list outside_in permit tcp any host public_IP eq 80
access-group outside_in in interface outside
The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.
In order to allow communication from inside to dmz, you just need NAT:
nat (inside) 1 0 0
global (dmz) 1 interface
Federico.
09-04-2010 05:00 PM
Hi,
Normally this is what you'll have:
inside = security level 100
outside = security level 0
dmz = security level 50
To allow traffic from outside to dmz you need:
static (dmz,outside) public_IP private_IP --> public_IP is the NATed IP for the web server and private_IP is the real IP
access-list outside_in permit tcp any host public_IP eq 80
access-group outside_in in interface outside
The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.
In order to allow communication from inside to dmz, you just need NAT:
nat (inside) 1 0 0
global (dmz) 1 interface
Federico.
09-04-2010 05:07 PM
Thanks for the prompt response
nat (inside) 1 0 0
global (dmz) 1 interface
This will allow all inside hosts to commucate with dmz server,
But in my case, I want to allow single host (that is my pc ) to communicate with this server.
09-04-2010 05:11 PM
To allow a single PC instead of having:
nat (inside) 1 0 0
global (dmz) 1 interface
You change it to this:
nat (inside) 1 x.x.x.x 255.255.255.255
global (dmz) 1 interface
Replace x.x.x.x with the IP.
Federico.
09-04-2010 05:13 PM
What would happen if i make static NAT ?
09-04-2010 05:18 PM
You can create a static NAT:
Assuming your inside IP is 10.0.0.1
static (inside,dmz) 10.0.0.1 10.0.0.1
Static NAT is normally done for inbound access (from a lower security interface to a higher security)
Regular NAT is normally done for outbound traffic (that's why I gave you the example).
Short answer is... either way will work.
Problem with static NAT is that the DMZ will have access to initiate traffic to your PC (if allowed by ACL)
Federico.
09-04-2010 05:25 PM
I have heard something about Exempt NAT. Perhaps I didn't got any idea from web.
Please can you explain with simple example
Thanks for your help
09-04-2010 05:30 PM
Exempt NAT is NAT 0 with ACL
Allows you to define which traffic to bypass NAT and it has the highest preference in the NAT priority check done by the ASA.
Normally used to bypass NAT for VPN traffic
ie.
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list nonat
The above will allow traffic to flow between both networks with NAT.
If you do the example of the static...
static (inside,dmz) 10.0.0.1 10.0.0.1
then you are allowing traffic to pass with NAT as well (this is static Identity NAT because you're not really translating the address anyway).
Federico.
09-04-2010 05:33 PM
If i am not wrong, can I just create an ACL to allow traffic from inside to dmz without NAT...Is is possible to make it ?
09-04-2010 05:37 PM
Yes.
Depending on the version.
If you have nat-control enabled (can check it with sh run nat-control) then you MUST have a NAT rule for the ASA to allow traffic to pass between interfaces.
If you disable nat-control, then you can pass traffic without NAT.
However, an ACL is not required to pass traffic from inside to dmz.
An ACL is required to pass traffic from a lower security to a higher security (like in the case from dmz to inside).
Federico.
09-04-2010 05:47 PM
This is what i have done after your great explanation
Static NAT
static (inside,dmz) 10.1.2.18 10.1.2.18 netmask 255.255.255.255
Created an ACL to allow the traffice from dmz to inside
access-list DMZ-1_access_in line 2 extended permit tcp host 172.16.1.X object-group MYPC object-group sqlnet
09-04-2010 05:51 PM
Remember the important rules:
Traffic from higher security to lower security
requires NAT (if having nat-control)
Traffic from lower security to higher security
requires STATIC NAT and ACL
If you already have an ACL applied to an interface, i.e. inside,
then all traffic that should be permitted must be explicitly defined.
If you really understand the above, you're done (for the basics).
Federico.
09-04-2010 06:17 PM
Thank you so much to all clear all my doubts
Thats was quiter helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide