Figure 4
Network Layout for DMZ Configuration Scenario
HTTP client
Inside
10.10.10.0
10.10.10.10
Because the DMZ web server is located on a private DMZ network, it is necessary to translate its
private IP address to a public (routable) IP address. This public address allows external clients to access
the DMZ web server in the same way that they access any server on the Internet.
The DMZ configuration scenario shown in Figure 4 provides two routable IP addresses that are
publicly available: one for the outside interface (209.165.200.225) of the adaptive security appliance,
and one for the public IP address of the DMZ web server (209.165.200.226). The following procedure
describes how to use ASDM to configure the adaptive security appliance for secure communications
between HTTP clients and the web server.
In this DMZ scenario, the adaptive security appliance already has an outside interface configured,
called dmz. Set up the adaptive security appliance interface for your DMZ by using the Startup Wizard.
Ensure that the security level is set between 0 and 100. (A common choice is 50.)
Information to Have Available
Before you begin this configuration procedure, gather the following information:
Internal IP addresses of the servers inside the DMZ that you want to make available to clients on
•
the public network (in this scenario, a web server).
External IP addresses to be used for servers inside the DMZ. (Clients on the public network will
•
use the external IP address to access the server inside the DMZ.)
Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic
•
will appear to come from this address so that the internal IP address is not exposed.)
12
ASA security
appliance
Outside
209.165.200.225
DMZ
10.30.30.0
Web server
10.30.30.30
HTTP client
Internet
HTTP client