Configuring the Adaptive Security Appliance for a DMZ Deployment
Information to Have Available
Enabling Inside Clients to Communicate with Devices on the
Internet
Enabling Inside Clients to Communicate with the DMZ Web
Server
Cisco ASA 5500 Series Getting Started Guide
8-10
Before you begin this configuration procedure, gather the following information:
Internal IP address of the server inside the DMZ that you want to make
•
available to clients on the public network (in this scenario, a web server).
•
Public IP addresses to be used for servers inside the DMZ. (Clients on the
public network will use the public IP address to access the server inside the
DMZ.)
Client IP address to substitute for internal IP addresses in outgoing traffic (in
•
this scenario the IP address of the outside interface). Outgoing client traffic
will appear to come from this address so that the internal IP address is not
exposed.
To permit internal clients to request content from devices on the Internet, the
adaptive security appliance translates the real IP addresses of internal clients to
the external address of the outside interface (that is, the public IP address of the
adaptive security appliance). Outgoing traffic appears to come from this address.
In this procedure, you configure the adaptive security appliance to allow internal
clients to communicate securely with the web server in the DMZ. To accomplish
this, you must configure a translation rule.
Configure a NAT rule between the DMZ and inside interfaces that translates the
real IP address of the DMZ web server to its public IP address (10.30.30.30 to
209.165.200.225).
This is necessary because when an internal client sends a DNS lookup request, the
DNS server returns the public IP address of the DMZ web server.
Chapter 8
Scenario: DMZ Configuration
78-19186-01