Cisco ASA 5505 Getting Started Manual page 54

Example DMZ Network Topology
5.
To permit internal clients to request HTTP content from the DMZ web server, the
adaptive security appliance configuration must include the following rules:
•
•
To permit traffic coming from the Internet to access the DMZ web server, the
adaptive security appliance configuration includes the following:
•
•
Figure 6-3
the public IP address of the DMZ web server.
Figure 6-3
Security
Appliance
3
DMZ Web
Server
Cisco ASA 5505 Getting Started Guide
6-4
The adaptive security appliance forwards the HTTP content to the internal
client.
A NAT rule between the DMZ and inside interfaces that translates the real IP
address of the DMZ web server to the public IP address of the DMZ web
server (10.30.30.30 to 209.165.200.225).
A NAT rule between the inside and DMZ interfaces that translate the real
addresses of the internal client network. In this scenario, the real IP address
of the internal network is translated to itself when internal clients
communicate with the web server in the DMZ (10.30.30.30 to 10.30.30.30).
An address translation rule translating the public IP address of the DMZ web
server to the private IP address of the DMZ web server.
An access control rule permitting incoming HTTP traffic that is destined for
the DMZ web server.
shows HTTP requests originating from the Internet and destined for
Incoming HTTP Traffic Flow From the Internet
2
Incoming request
destined for public
address of DMZ web
server intercepted.
Destination IP address
translated to the private IP
address of the web server.
4
Web server receives
request for content.
Private IP address: 10.30.30.30
Public IP address: 209.165.200.226
Chapter 6
1
HTTP request
sent to public address
of DMZ web server.
HTTP client
Internet
Web server
Scenario: DMZ Configuration
78-17612-02