Chapter 6
Scenario: DMZ Configuration
Enabling Inside Clients to Communicate with the DMZ Web
Server
Note
78-18003-02
The ASA 5505 comes with a default configuration that includes the necessary
address translation rule. Unless you want to change the IP address of the inside
interface, you do not need to configure any settings to allow inside clients to
access the Internet.
In this procedure, you configure the adaptive security appliance to allow internal
clients to communicate securely with the web server in the DMZ. To accomplish
this, you must configure two translation rules:
A NAT rule between the DMZ and inside interfaces that translates the real IP
•
address of the DMZ web server to its public IP address (10.30.30.30 to
209.165.200.225).
A NAT rule between the inside and DMZ interfaces that translates the public
•
IP address of the DMZ web server back to its real IP address
(209.165.200.225 to 10.30.30.30).
This is necessary because when an internal client sends a DNS lookup
request, the DNS server returns the public IP address of the DMZ web server.
Because there is not a DNS server on the inside network, DNS requests must exit
the adaptive security appliance to be resolved by a DNS server on the Internet.
This section includes the following topics:
Translating Internal Client IP Addresses Between the Inside and DMZ
•
Interfaces, page 6-16
Translating the Public Address of the Web Server to its Real Address,
•
page 6-19
Configuring the Security Appliance for a DMZ Deployment
ASA 5505 Getting Started Guide
6-15