Re: How can I permit access to DMZ only to the inbound access?

s.gando · ‎03-12-2002

For example:

If I wonted to permit the access to the FTP in the Host 10.13.0.5 (DMZ) from the private LAN (10.2.0.0) but not from the internet. Can I doit with the "conduit"?

Thanks.

isotelo · ‎03-13-2002

You must create a estatica route for your LAN towards DMZ for example

static(inside, dmz)10.2.0.1 10,13,0,5 netmask 255.255.255.255

conduit permit tcp host 10.2.0.1 eq FTP any

and now 10.2.0.1 are the FTP for your network LAN

titansae · ‎03-28-2002

You don't need the static & conduit statements in this scenario. Since traffice will flow from higher security (Inside-security100) to lower security (DMZ-security50) via the nat (DMZ) 1... command, you should use the static/conduit. One way of controlling this type of access would be using access-lists and access-group and apply this to the inside interface via inbound direction. This is the same concept as the the older PIX software by using outbound/apply.

I hope that helps. Please feel free to correct me.

bdube · ‎03-29-2002

You don't need static translation. What you need is a NAT command with appropriate access-list/access-group commands.

About NAT, you have 2 choice:

1) Make a real translation

2) No translation at all

I prefer the second way to do that:

Example with no translation.

a) Create an access-list to limit who will access the ftp.

access-list nonatinside 10.2.0.0 255.255.255.0 host 10.13.0.5

b) Create a NAT to disable NAT for the previous access-list:

NAT (inside) 0 access-list nonatinside

Then inside hosts will be able to access your FTP on any ports, with their real IP addresses (no translation). If you want to limit the ranges of ports. You can create an access-list applied to the inside interface or make some filtered on your server directly which is not a bad idea or both.

Ben