Link to home
Start Free TrialLog in
Avatar of S1stem4s
S1stem4sFlag for United States of America

asked on

Basic NAT + ACL question. Access from DMZ to inside

HI ...

I have an ASA 5510 with inside, DMZ and outside interfaces. I use one public IP address on the outside interface, that uses PAT to go to the mail and web servers on the DMZ. There's a dynamic NAT for the inside hosts to a different public IP address, so that they can get to the internet. There's also a NAT from the LAN to the DMZ so that the users can read their emails and corporate web pages. The outside interface is full of ACLs permitting only valid traffic to the DMZ servers. Everything works (the configuration is a mess but it works) but now I need to be able to access from one server in the DMZ to a host in the LAN, and I don't really know how to do it. My questions are, when trying to access to the internal IP address from the DMZ server:

1. Should I use the local IP address of the host in the inside network or do I need some kind of static NAT from the LAN to the DMZ so that the host can be seen in the DMZ?. I guess I need a NAT but I'm not sure.

2. Do I need an outgoing ACL on the DMZ interface or an incoming ACL on the inside?. I guess an outgoing on the DMZ but I'm not sure either.

3. I still want users in the inside network to be able to get to the DMZ servers. If I have an ACL to permit traffic from the DMZ server to the inside host, how do I prevent implicitly denying all other hosts to get to the DMZ servers?.

I could post the configuration, but it is an absolute mess and truly embarrassing. I need time to sit down and start from scratch with it.
SOLUTION
Avatar of ricks_v
ricks_v

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of S1stem4s

ASKER

Thanks but I still have some concerns ...

1. Both machines are not on the inside, just the destination host. The source is the server in the DMZ. I think I need a static NAT but since the inside already has a NAT I don't know if I need a different one or if I can use the same.

2. Why does the outside interface have to be involved in this communication if it is between the DMZ and the inside?. Is that how the ASA works?.

3. I tried it and the only thing that worked was the communication between the inside host and the DMZ server, since only this server is allowed to get into the inside and only to this host. Implicitly denies everything else, that's my big problem I think, I don't know how to write this ACL.

Thanks again!.
Avatar of ricks_v
ricks_v

1. Sorry didnt mean both are on the inside,I meant both are not on the outside.
The LAN already have access to the dmz, so we can leave this.

alternatively, you can issue a static nat command for the single host on the LAN.. This way, you do not need any acl (just use 1 avaiable address on the dmz static nat to single host in the LAN) so the host in dmz will access new created dmz ip address instead of the actual LAN host ip address.

2. Sorry again, i meant apply on outgoing ACL on the INSIDE interface.

3. I will try posting an example config..
if use ACL
#access-list inside_access_out extended permit ip host x.x.x.x host y.y.y.y
note: inside_access_out can be different depends on what you name on access-group

if use NAT
#static (inside,dmz) x.x.x.x y.y.y.ynetmask z.z.z.z 0 0

x=dmz host
y=inside host
z=subnet mask (will be 255.255.255.255 as it's single host)
The problem is not in the NAT I think. The internal host address is translated to the DMZ correctly. The problem is in the ACL. I do need an ACL since the inside interface has a security level of 90 and the DMZ has only 50. I don't think I need an outgoing ACL in the inside, since the security level of the DMZ is lower and therefore is permitted. I need an outgoing ACL in the DMZ interface so that it's able to communicate with a host in an interface with a higher security level, but if I do so, I'm implicitly denying all possible communications with the inside interface given that the only permitted communication DMZ --> Inside is from the server in the DMZ to the inside host.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial