nabeel92
asked on
DMZ connectivity !
Hi,
I just have a few questions about DMZ connectivity with Public and Inside interfaces...
If i give command static (dmz,out) out I.P dmz I.P
then would my DMZ host be able to talk to internet and internet would be able to talk to DMZ .. or do i need to add anythign extra as well ... (this is assuming acl's in inside and dmz interface allow everything )
I just have a few questions about DMZ connectivity with Public and Inside interfaces...
If i give command static (dmz,out) out I.P dmz I.P
then would my DMZ host be able to talk to internet and internet would be able to talk to DMZ .. or do i need to add anythign extra as well ... (this is assuming acl's in inside and dmz interface allow everything )
ASKER
yes i know about the ACL ... but my question is that is the above static command enough to ensure
1. From Internet to DMZ servers connectivity
2. From DMZ serves to internet connectivity ?
1. From Internet to DMZ servers connectivity
2. From DMZ serves to internet connectivity ?
ASKER
static (dmz,outside) outside I.P DMZ I.P
what's ur device model ? if PIX::
the static command maps an internal private ip address to an external
official ip address. Access-Lists define the access from the untrusted
external device to your DMZ device.
Use this Example to define your smtp & pop3 traffic:
static (dmz,outside) External_NAT_IP DMZ_IP netmask 255.255.255.255
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 25
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 110
BR
the static command maps an internal private ip address to an external
official ip address. Access-Lists define the access from the untrusted
external device to your DMZ device.
Use this Example to define your smtp & pop3 traffic:
static (dmz,outside) External_NAT_IP DMZ_IP netmask 255.255.255.255
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 25
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 110
BR
ASKER
my question is still the same ... u've given answer but the not the one am looking for ;)
considering that my acl allows everything in to dmz (leaving recommendation aside for a second) ... will the above static command ensure i am able to establish connectivith both ways ... from dmz to internet as well as from internet do dmz ?
static (dmz,outside) outside I.P DMZ I.P
or do i have to add other commands as well ?
considering that my acl allows everything in to dmz (leaving recommendation aside for a second) ... will the above static command ensure i am able to establish connectivith both ways ... from dmz to internet as well as from internet do dmz ?
static (dmz,outside) outside I.P DMZ I.P
or do i have to add other commands as well ?
ASKER
am using pix 525E with IOS 8.0 .. so its essentially an ASA ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for that :)
If i may also ask do we need to give the command on pix ...
route dmz x.x.x.x x.x.x.x dmz interface i.p
coz its already directly connected interface ... so shud we define a static route to the dmz ? i mean ive seen in configs ppl have defined it but when i enter, it returns an error tht its directly connected (rightly so ) so whats the point in having a static route to dmz ?
If i may also ask do we need to give the command on pix ...
route dmz x.x.x.x x.x.x.x dmz interface i.p
coz its already directly connected interface ... so shud we define a static route to the dmz ? i mean ive seen in configs ppl have defined it but when i enter, it returns an error tht its directly connected (rightly so ) so whats the point in having a static route to dmz ?
yes that's should be right
route dmz x.x.x.x 255.255.255.0 y.y.y.y
try and reply
route dmz x.x.x.x 255.255.255.0 y.y.y.y
try and reply
yes it's highly recommended to assign ACL to filter traffic in/out ur DMZ, so u can keep ur DMZ network away from any possible attack ..
BR