Hosting Web Site in DMZ in ASA-GNS3

Posted: July 31, 2015 in CISCO

This is extension of this article ,we’ll add DMZ interface,and Web server in DMZ zone.We’ll configure NAT and Access list to allow client from the internet access to Web site in DMZ network

 

 

Untitled

 

 

Changes in R1 router is only one entry for network 10.2.2.0 in EIGRP confoguration

R2:

interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
duplex auto
speed auto
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
!
router eigrp 20
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary

 

ASA config:

I addedd ip address for e2 (DMZ) interface,set-security level of 70 and add network 192.168.12.0 to EIGRP config

ciscoasa(config)# int g2
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# security-level 70

ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network 192.168.12.0 255.255.255.0

 

Configure network object for DMZ server,this object wil be used to translate address of web server to an outside address using static nat (translated address will be 209.165.200.227-“imagined” public IP address)

ciscoasa(config)# object network web-server
ciscoasa(config-network-object)# host 192.168.12.10
ciscoasa(config-network-object)# nat (dmz,outside) static 209.165.200.227

Create Access list that permits any IP protocol from anywhere (any) to web server (192.168.12.10).Because traffic will flow through outside interface to dmz interface,traffic will enter (IN) outside to go  to the DMZ interface:

ciscoasa(config)#access-list 102 extended permit ip any host 192.168.12.10
ciscoasa(config)#access-group 102 in interface outside

Ping from client1 “public” IP 209.162.200.227

ciscoasa# sh xlate
3 in use, 3 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity , T – twice
NAT from dmz:192.168.12.10 to outside:209.165.200.227
flags s idle 0:00:19 timeout 0:00:00

As we can see,pings from outside (client1) to web server on dmz (209.165.200.227) are not translated

From client1 type IP address we set in NAT rule (209.165.200.227):

Untitled

 

 

To allow ping between hosts behind inside interface and web server in DMZ zone,and vice-versa:

ciscoasa(config)#access-list 105 extended permit ip host 192.168.12.10 192.168.12.10 network 192.168.2.0  255.255.255.0
ciscoasa(config)# access-group 105 in interface dmz

Untitled

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s