07-19-2009 10:30 PM - edited 03-11-2019 08:56 AM
Hi all,
i have to make DMZ in my network already my servers are working in inside network, but now i have to shift these server to DMZ,
kindly look at my configuration and guide me with configuration how i can achieve this goal. Thanks
********************
ASA Version 8.0(4)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet0/3
description LAN Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777
access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080
access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080
access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777
access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any
access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
access-list inside_access_all extended permit ip any any
access-list DMZ_access_all extended permit icmp any any
nat (Inside) 0 access-list nonat
nat (DMZ) 0 access-list nonatDMZ
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_all in interface Inside
access-group DMZ_access_all in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
: end
ASA#
07-21-2009 05:52 AM
Hi,
With this conf you wll not be able to access your servers from outside.
07-21-2009 06:21 AM
Hi,
I think the following lines are confusing:-
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any
access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
access-list inside_access_all extended permit ip any any
access-list DMZ_access_all extended permit icmp any any
nat (Inside) 0 access-list nonat
nat (DMZ) 0 access-list nonatDMZ
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
Can you tell me what are you planning to use this lines for???
to have your inside n/w access DMZ just enter below commands and it will work you dont need any other thing:
access-list inside_nat0 extended permit ip any 192.168.100.0 255.255.255.0
nat(inside) 0 access-list inside_nat0
thts it this will server ur purpose and you will be able to access DMZ frm Inside
and to access DMZ frm Outside you need to create Static\Dynamic Natting as required.
Regards,
Hussain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide