Configuring the Security Appliance for a DMZ Deployment
Enabling Inside Clients to Communicate with the DMZ Web
Server
Note
Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces
Step 1
Step 2
Step 3
Cisco ASA 5505 Getting Started Guide
6-8
In this procedure, you configure the adaptive security appliance to allow internal
clients to communicate securely with the web server in the DMZ. To accomplish
this, you must configure two translation rules:
A NAT rule between the DMZ and inside interfaces that translates the real IP
•
address of the DMZ web server to its public IP address (10.30.30.30 to
209.165.200.225).
•
A NAT rule between the inside and DMZ interfaces that translates the public
IP address of the DMZ web server back to its real IP address
(209.165.200.225 to 10.30.30.30).
This is necessary because when an internal client sends a DNS lookup
request, the DNS server returns the public IP address of the DMZ web server.
Because there is no DNS server on the inside network, DNS requests must exit the
adaptive security appliance to be resolved by a DNS server on the Internet.
This section includes the following topics:
Translating Internal Client IP Addresses Between the Inside and DMZ
•
Interfaces, page 6-8
Translating the Public Address of the Web Server to its Real Address,
•
page 6-10
To configure NAT to translate internal client IP addresses between the inside
interface and the DMZ interface, perform the following steps:
In the ASDM main window, click the Configuration tool.
In the Features pane, click NAT.
From the Add drop-down list, choose Add Static NAT Rule.
The Add Static NAT Rule dialog box appears.
Chapter 6
Scenario: DMZ Configuration
78-17612-02