Chapter 6
Scenario: DMZ Configuration
Configuration Requirements
So That...
Internal clients can request
information from web
servers on the Internet
Internal clients can request
information from the DMZ
web server
External clients can request
information from the DMZ
web server
Information to Have Available
78-18003-02
Configuring Static PAT for Public Access to the DMZ Web Server (Port
•
Forwarding), page 6-21
Providing Public HTTP Access to the DMZ Web Server, page 6-25
•
The remainder of this chapter provides instructions for how to implement this
configuration.
This DMZ deployment of the adaptive security appliance requires configuration
rules as follows:
Create These Rules...
The adaptive security appliance comes with a default configuration that
permits inside clients access to devices on the Internet. No additional
configuration is required.
A NAT rule between the DMZ and inside interfaces that translates the
•
real IP address of the DMZ web server to its public IP address
(10.10.10.30 to 209.165.200.225).
A NAT rule between the inside and DMZ interfaces that translates the
•
real addresses of the internal client network. In this scenario, the real
IP address of the internal network is translated to itself when internal
clients communicate with the DMZ web server (10.10.10.0 to
10.10.10.0).
An address translation rule between the outside and DMZ interfaces
•
that translates the public IP address of the DMZ web server to its
private IP address (209.165.200.225 to 10.10.10.30).
An access control rule permitting incoming HTTP traffic that is
•
destined for the DMZ web server.
Before you begin this configuration procedure, gather the following information:
Internal IP address of the server inside the DMZ that you want to make
•
available to clients on the public network (in this scenario, a web server).
Configuring the Security Appliance for a DMZ Deployment
ASA 5505 Getting Started Guide
6-11