Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
2
Replies

ASA DMZ to inside and inside to DMZ

mahmoodmm
Level 1
Level 1

‎02-26-2011 04:18 AM - edited ‎03-06-2019 03:46 PM

Hi Guys,

I am in a bit confused about the working of communication from inside to dmz and dmz to inside.

I have a set like this.

inside------outside

            !

            !

         DMZ

I understand tht to allow communication from inside to outside or inside to dmz we dont need anything.

But to allow communication from dmz,outside we need to have acls.

i have nat the inside as well as dmz interfaces.

below is the config.

inside ip 192.168.1.100/24

outside"public ip"

dmz ip 172.16.1.100/24

nat(inside)1 192.168.1.0 255.255.255.0

global(outside)1 interface

nat(dmz)1 172.16.1.0 255.255.255.0

access-list dmz permit icmp any any echo

access-list dmz permit icmp any any echo-reply

access-list dmz permit icmp any any time-out exceeded

i want to allow communication from a server in dmz with ip 172.16.1.10/24 to access inside network.

and inside network should be able to access all of the dmz network.

i think i am missing something over here..Please advice.

Regards

Mahmood

Labels:
0 Helpful
2 Replies 2

IAN WHITMORE
Level 4
Level 4

‎02-26-2011 06:13 AM

I have a question.

Do you need to do NAT between your inside network and the DMZ? Usually, you don't do NAT between these two networks because they are both your private networks and also because your inside network (security 100) can access your DMZ by default (security less than 100) but not vice versa without access-lists.

Having said that I would use nat (inside) 0 to access your DMZ and nat (dmz) 0 to access your inside network from the DMZ. You will still need access lists from the DMZ to inside interface to permit the traffic though because you are going from a lower level security interface to a higher level.

If you have unix/linux skills, you might want to turn on logging and send to a syslog server. The best is syslog-ng and it will tell you where the traffic is being denied.

Another question. Do you have nat control activated on the ASA?

Here's an example of NAT exemption once NAT control is activated:

nat (inside) 0 access-list nonat-inside

nat (dmz) 0 access-list nonat-dmz

access-list nonat-inside permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat-dmz permit icmp 172.16.1.10 255.255.255.255 any

The problem is, with NAT 0 ACL I don't think you can specify protocols except IP (I know I put ICMP, you can try it but not sure if it will work) or ports i.e. you can't put "eq".

In this case (if it doesn't work) there are other options like using NAT for this server (static NAT) but then your inside hosts would attack a different IP address and you need to make good use of a DNS server.

Heres a good guide from Cisco:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042530

The configuration you have is fine for the DMZ clients if they want to go outside. They will be natted to the same global address as the inside hosts i.e. the public address.

HTH,

Ian

0 Helpful

rosenkatzarov
Level 1
Level 1

‎02-26-2011 07:02 AM

Hi Mahmood,

You can try with the following line:

Static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

This will allow communication from the dmz to hosts on the inside network with their original ip addresses-the so called identity nat.

The other thing you need is an access list to allow traffic from the dmz to inside, but you already have that in place.

Regards,

Ross

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents