Link to home
Create AccountLog in
Avatar of memo12345678
memo12345678

asked on

outside to DMZ

dear

I have server in DMZ zone his IP 10.10.10.11

i want each one from outside see this ip by this Public IP 40.40.40.11 and also can access to it

please write to me what need with access if want in interface outside
SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Oh,
assuming here that the interfaces are named: dmz and outside. And there is no outside access list (yet). Otherwise rename access-list and access-group to the name that you use.
Avatar of memo12345678
memo12345678

ASKER

dear
still doesn't work , this is config


access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 time-exceeded
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo
access-list 101 extended permit icmp any 40.40.40.128 255.255.255.128 echo-reply
access-list 101 extended permit icmp 40.40.40.128 255.255.255.128 any echo-reply
access-list 101 extended permit ip any host 40.40.40.11

access-group 101 in interface outside


static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255  


interface GigabitEthernet3/0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.248 standby 40.40.40.2
!
interface GigabitEthernet3/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3/1.10
 vlan 10
 nameif dmz
 security-level 50
 ip address 10.10.10.2 255.255.255.0 standby 10.200.200.3
!
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi,

What about your DMZ ? Do you have some NAT (global, nat (dmz), etc.), and some access-list ?

Can your DMZ go to Internet ?

If your DMZ hasn't access-list/access-group, it will not work.


No need for access list/group, you going from a higher to a lower security interface.
Dear erniebeek

I change to
interface GigabitEthernet3/0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.192 standby 40.40.40.2

but still i cannot connect ping from out side to this IP 40.40.40.11  but from my router (40.40.40.3 )that connect to interface outside ASA I can make ping to 40.40.40.11!!!!
Ok, that looks like we have to have a look at the router as wel. Could you post a (sanitized) config?
@erniebeek : you're right :)

@memo : you talk about your router, does it redirect the trafic to the ASA (bridging ?) ?

For your ASA,  think you must follow the config of erniebeek who redirect just one port, ex. 80  :

static (dmz,outside) tcp 40.40.40.11 80 10.10.10.11 80 netmask 255.255.255.255

Dear erniebeek

router config

interface GigabitEthernet0/1
description lin to internet
 ip address 40.40.40.230 255.255.255.192
 duplex auto
 speed auto
 standby 11 ip 40.40.40.231
 standby 11 timers 3 9
 standby 11 priority 120
 standby 11 preempt
 standby 11 track 1 decrement 25
!
interface GigabitEthernet0/2
 description Link ASA firewall
 ip address 40.40.40.4 255.255.255.192
 duplex auto
 speed auto
 standby 10 ip 40.40.40.6
 standby 10 timers 3 9
 standby 10 priority 120
 standby 10 preempt
 standby 10 track 1 decrement 25


!
ip route 0.0.0.0 0.0.0.0 40.40.40.200
ip route 40.40.40.0 255.255.255.192 40.40.40.1


there no problem in router why I still from outside why cannot make ping to 40.40.40.11 but they can ping to 40.40.40.1 (interface ASA outside ) !!!!
please check if need some thing to add
static (dmz,outside) 40.40.40.11 10.10.10.11 netmask 255.255.255.255   (mean all port open )!!
help me
this is traceroute from outside to IP 40.40.40.11

C:\Users\tracert -d 40.40.40.11


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12     *        *        *     Request timed out.


!!! why it cannot ping to ASA
 but when tracert  to 40.40.40.1  
C:\Users\tracert -d 40.40.40.11


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12   101 ms   133 ms   128 ms   40.40.40.1
sorry

C:\Users\tracert -d 40.40.40.1


  1     *        *        *     Request timed out.
  2   109 ms   128 ms   128 ms  10.64.0.17
  3   101 ms    88 ms   123 ms  10.20.20.1
  4   112 ms   208 ms   118 ms  X.X.X.97
  5   101 ms   123 ms   138 ms  Y.Y.Y.146
  6   106 ms     *      190 ms  10.10.0.1
  7    94 ms   187 ms   129 ms  172.29.0.2
  8    82 ms   133 ms   133 ms  10.193.193.6
  9   110 ms   168 ms   158 ms  172.17.1.1
 10   111 ms   152 ms   203 ms  10.254.3.29
 11   106 ms   128 ms   123 ms  40.40.40.230
 12   101 ms   133 ms   128 ms   40.40.40.1
I think you need some NAT on your router to redirect trafic from the router to your ASA.

For example :

ip nat inside source static <local ip> <global ip>
ip nat inside source static 10.10.10.11 40.40.40.11

Open in new window


You'll need an ACL on your router like
access-list 10 permit ip any 40.40.40.11

Open in new window


And finally configure your interfaces with NAT :

interface GigabitEthernet0/1
ip nat outside

interface GigabitEthernet0/2
ip nat inside

Open in new window


Hope I make no error, i think erniebeek will see :)
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
sorry solve there is mistake ip Getaway of server
thx
Ok, glad you solved it :)
Thx for the points.
I have another problem  
Dear I have this network diagram

from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1

But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2

I think need add access or nat to permit plz send to me this config


Note :-

from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
if u want answer me by new question


please see this link answer me

https://www.experts-exchange.com/questions/27392404/ip-route-doesn't-work-in-ASA.html


Regard
I'll see you there then ;)