Scribd Logo
Upload

Welcome to Scribd!

  • Hosting Web Site in DMZ in

    Uploaded by

    Yawar Aziz
    17 views3 pages
    This document summarizes the configuration of a DMZ interface on an ASA firewall to host a web server. It describes adding an interface for the DMZ subnet, setting its security level, and adding the subnet to EIGRP routing. It also details configuring static NAT to expose the web server's private IP to the internet, creating an access list to allow traffic to it, and bidirectional access between the DMZ and internal network via another access list. Testing shows pings to the exposed public IP are untranslated to the private DMZ server IP.

    Original Description:

    Hosting a web server behind Cisco ASA

    Original Title

    Hosting Web Site in DMZ In

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes the configuration of a DMZ interface on an ASA firewall to host a web server. It describes adding an interface for the DMZ subnet, setting its security level, and adding the subnet to EIGRP routing. It also details configuring static NAT to expose the web server's private IP to the internet, creating an access list to allow traffic to it, and bidirectional access between the DMZ and internal network via another access list. Testing shows pings to the exposed public IP are untranslated to the private DMZ server IP.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    17 views3 pages

    Hosting Web Site in DMZ in

    Uploaded by

    Yawar Aziz
    This document summarizes the configuration of a DMZ interface on an ASA firewall to host a web server. It describes adding an interface for the DMZ subnet, setting its security level, and adding the subnet to EIGRP routing. It also details configuring static NAT to expose the web server's private IP to the internet, creating an access list to allow traffic to it, and bidirectional access between the DMZ and internal network via another access list. Testing shows pings to the exposed public IP are untranslated to the private DMZ server IP.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    Hosting Web Site in DMZ in ASA-GNS3

    Posted: July 31, 2015 in CISCO


    0

    This is extension of this article ,we’ll add DMZ interface,and Web server in DMZ zone.We’ll
    configure NAT and Access list to allow client from the internet access to Web site in DMZ
    network

    Changes in R1 router is only one entry for network 10.2.2.0 in EIGRP confoguration

    R2:

    interface FastEthernet0/0
    ip address 209.165.200.225 255.255.255.248
    duplex auto
    speed auto
    !
    interface Serial1/0
    ip address 10.1.1.1 255.255.255.0
    serial restart-delay 0
    !
    router eigrp 20
    network 10.1.1.0 0.0.0.255
    network 209.165.200.0
    no auto-summary

    ASA config:

    I addedd ip address for e2 (DMZ) interface,set-security level of 70 and add network


    192.168.12.0 to EIGRP config
    ciscoasa(config)# int g2
    ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
    ciscoasa(config-if)# security-level 70

    ciscoasa(config)# router eigrp 20


    ciscoasa(config-router)# network 192.168.12.0 255.255.255.0

    Configure network object for DMZ server,this object wil be used to translate address of web
    server to an outside address using static nat (translated address will be 209.165.200.227-
    “imagined” public IP address)

    ciscoasa(config)# object network web-server


    ciscoasa(config-network-object)# host 192.168.12.10
    ciscoasa(config-network-object)# nat (dmz,outside) static 209.165.200.227

    Create Access list that permits any IP protocol from anywhere (any) to web server
    (192.168.12.10).Because traffic will flow through outside interface to dmz interface,traffic will
    enter (IN) outside to go to the DMZ interface:

    ciscoasa(config)#access-list 102 extended permit ip any host 192.168.12.10


    ciscoasa(config)#access-group 102 in interface outside

    Ping from client1 “public” IP 209.162.200.227

    ciscoasa# sh xlate
    3 in use, 3 most used
    Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity , T – twice
    NAT from dmz:192.168.12.10 to outside:209.165.200.227
    flags s idle 0:00:19 timeout 0:00:00

    As we can see,pings from outside (client1) to web server on dmz (209.165.200.227) are not
    translated

    From client1 type IP address we set in NAT rule (209.165.200.227):


    To allow ping between hosts behind inside interface and web server in DMZ zone,and vice-
    versa:

    ciscoasa(config)#access-list 105 extended permit ip host 192.168.12.10


    192.168.12.10 network 192.168.2.0 255.255.255.0
    ciscoasa(config)# access-group 105 in interface dmz

    You might also like