Basic NAT + ACL question. Access from DMZ to inside
Posted on 2009-02-19
I have an ASA 5510 with inside, DMZ and outside interfaces. I use one public IP address on the outside interface, that uses PAT to go to the mail and web servers on the DMZ. There's a dynamic NAT for the inside hosts to a different public IP address, so that they can get to the internet. There's also a NAT from the LAN to the DMZ so that the users can read their emails and corporate web pages. The outside interface is full of ACLs permitting only valid traffic to the DMZ servers. Everything works (the configuration is a mess but it works) but now I need to be able to access from one server in the DMZ to a host in the LAN, and I don't really know how to do it. My questions are, when trying to access to the internal IP address from the DMZ server:
1. Should I use the local IP address of the host in the inside network or do I need some kind of static NAT from the LAN to the DMZ so that the host can be seen in the DMZ?. I guess I need a NAT but I'm not sure.
2. Do I need an outgoing ACL on the DMZ interface or an incoming ACL on the inside?. I guess an outgoing on the DMZ but I'm not sure either.
3. I still want users in the inside network to be able to get to the DMZ servers. If I have an ACL to permit traffic from the DMZ server to the inside host, how do I prevent implicitly denying all other hosts to get to the DMZ servers?.
I could post the configuration, but it is an absolute mess and truly embarrassing. I need time to sit down and start from scratch with it.