We help IT Professionals succeed at work.

DMZ connectivity !

Medium Priority
408 Views
Last Modified: 2012-05-06
Hi,
I just have a few questions about DMZ connectivity with Public and Inside interfaces...

If i give command static (dmz,out) out I.P dmz I.P
then would my DMZ host be able to talk to internet and internet would be able to talk to DMZ .. or do i need to add anythign extra as well ... (this is assuming acl's in inside and dmz interface allow everything )
Comment
Watch Question

Commented:
hi
yes it's highly recommended to assign ACL to filter traffic in/out ur DMZ, so u can keep ur DMZ network away from any possible attack ..

BR

Author

Commented:
yes i know about the ACL ... but my question is that is the above static command enough to ensure
1. From Internet to DMZ servers connectivity
2. From DMZ serves to internet connectivity ?

Author

Commented:
static (dmz,outside) outside I.P DMZ I.P

Commented:
what's ur device model ? if PIX::
the static command maps an internal private ip address to an external
official ip address. Access-Lists define the access from the untrusted
external device to your DMZ device.

Use this Example to define your smtp & pop3 traffic:

static (dmz,outside) External_NAT_IP DMZ_IP netmask 255.255.255.255
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 25
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 110

BR

Author

Commented:
my question is still the same ... u've given answer but the not the one am looking for ;)

considering that my acl allows everything in to dmz (leaving recommendation aside for a second) ... will the above static command ensure i am able to establish connectivith both ways ... from dmz to internet as well as from internet do dmz  ?

static (dmz,outside) outside I.P DMZ I.P

 or do i have to add other commands as well ?

Author

Commented:
am using pix 525E with IOS 8.0 .. so its essentially an ASA ...
Commented:
yes u can
this how it should be:
static (DMZ,outside) xxx.xxx.xxx.x y.y.y.y netmask 255.255.255.255
access-list acl_outside permit ip any nay
access-group acl_outside in interface DMZ

BR

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
thanks for that :)

If i may also ask do we need to give the command on pix ...
route dmz x.x.x.x x.x.x.x dmz interface i.p

coz its already directly connected interface ... so shud we define a static route to the dmz ? i mean ive seen in configs ppl have defined it but when i enter, it returns an error tht its directly connected (rightly so ) so whats the point in having a static route to dmz ?

Commented:
yes that's should be right
route dmz x.x.x.x 255.255.255.0 y.y.y.y

try and reply
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.