Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
5
Helpful
7
Replies

Access from DMZ to inside

l4nier
Level 1
Level 1

‎06-10-2003 07:31 AM - edited ‎03-09-2019 03:36 AM

I am trying to allow access from one computer in the dmz to our internal network. This is a temporary setup used for testing. Can anyone point me towards documents on how to do this? I am not mapping to a "legal" address on the Inside. I just want the one computer in the dmz to have UDP access to the computers on the Inside.

Louanne Fournier

lfournier@nexterna.com

Labels:
0 Helpful
7 Replies 7

jmia
Level 7
Level 7

‎06-10-2003 07:48 AM

Hi Louanne,

The following document might be useful to you:

> http://www.cisco.com/warp/public/707/28.html

Hope this helps -

0 Helpful

msitzman
Cisco Employee
Cisco Employee

‎06-10-2003 07:59 AM

The short answer is that the inside host has to have a static translation defined that points to the DMZ interface. It can map to it's own ip address in the statement such as:

static (inside, intf2) 192.168.1.12 192.168.1.12 netmask 255.255.255.255

Then you will have to configure access from the DMZ host to the inside host since it is a lower security zone to a higher security zone. This can be a conduit or an access-list

conduit permit udp host 192.168.1.12 eq host

or:

access-list dmz_int permit udp host host 192.168.1.12

access-group dmz_int in interface intf2

Hope this helps...

Marcus

l4nier
Level 1
Level 1
In response to msitzman

‎06-10-2003 10:23 AM

Thanks for the quick reply Marcus! I will go ahead and try this but I was wondering why you map the inside machine to itself in the Static statement above. Shouldn't it go to the IP in the dmz? I understand the conduit statement because it maps from one ip to another but I was confused with the static.

Thanks again!

0 Helpful

msitzman
Cisco Employee
Cisco Employee
In response to l4nier

‎06-10-2003 11:15 AM

Hei there,

I mapped the inside IP to itself because there is not usually a need to NAT from the inside to DMZ interfaces. The DMZ interface is usually still part of your private network and therefore any routing should be setup already and then you don't burn an address on the DMZ segment for thhe inside host. You certainly could map the inside host to a global address in the DMZ network if you wanted. Just remember that if you do you will need to change the access-list or conduit to reflect the global address of the inside host.

Marcus

0 Helpful

l4nier
Level 1
Level 1
In response to msitzman

‎06-10-2003 11:22 AM

Ahh I get it! Normally I would use the static to map to a global IP but since it is just dmz to inside I don't need to waste an address.

Thank you again!

Louanne

0 Helpful

l4nier
Level 1
Level 1
In response to msitzman

‎06-10-2003 11:33 AM

One more question, hope you don't mind. In looking over what I have already I see there is a static mapping as follows:

static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

192.168.20. is my inside network. So rather than setting up access for a particular machine a static route has already been setup for the entire inside network. So in this case I only need to add either a conduit or access list statement. Is that correct?

Louanne

0 Helpful

msitzman
Cisco Employee
Cisco Employee
In response to l4nier

‎06-10-2003 11:45 AM

Hi there,

You are correct. That static statment will cover the whole network as being maped to itself to the DMZ interface. All you need now is the conduit or ACL!!

Marcus

0 Helpful
Customers Also Viewed These Support Documents