I've set up an ASA 5516-X (running ASA Software 9.9) in a new rack for our company. This rack features 3 networks:
Outside: 46.x.y.z/29
DMZ: 5.x.y.z/26
Inside: 10.10.0.0/16
The new rack needs to expose a number of services to the net to support various ops, for example VOIP and web hosting. Some servers, e.g. web hosts, need an IP on the DMZ but don't need that IP on the server itself - for those, I've used "Public Servers" and set up the various addresses and services. I've also enabled the DNS rewrite feature on the resulting NAT rules and it's working perfectly accessing the servers both internally and externally.
Some servers, e.g. VOIP, need their DMZ bound to the server - it uses this to discern the difference between internal and external traffic. I've done exactly this, so an example network config would be:
Inside NIC:
10.10.17.11
255.255.0.0
10.10.1.1 (GW)
DMZ NIC:
5.y.x.211
255.255.255.224
What is the best way to set up access rules and NAT to allow access in the following scenarios?
- External access to service: traffic to 5.x.y.211 arrives on outside interface, must leave via outside interface
- Internal access to service: traffic to 5.x.y.211 (e.g. pings) arrives on internal interface
- Service accesses the internet: traffic must appear to have originated from 5.x.y.211, NOT the ASA's outside IP.
No comments:
Post a Comment