Currently, the ASA configurations only allow on the Inside and DMZ networks to access any
hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only
on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the
209.165.201.30 public IP address when HTTPing to the DMZ server.
Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the
lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to
dynamically allow the echo-reply responses back through the ASA.
Once the correct ASA configurations have been configured:
1. You can test the connectivity tohttp://209.165.201.30 from the Outside PC browser.
2. You can test the pings to the Outside (www.cisco.com) by opening the inside PC command
prompt window. In this simulation, only testing pings towww.cisco.comwill work.
My Answer
Step1: Firewall > Configuration > NAT Rules > Add Network Object. Name=http, IP version=IPv4, IP address = 172.16.1.2, Static NAT = 209.165.201.30 > advanced button >source:DMZ Destination: OUTSIDE
Step2: Firewall > Configuration > NAT Rules > Add Access Rule. Interface=Outside, Action=Permit, Source=any, Destination=172.16.1.2, Service=tcp/http
!When I did the exam, only with the step 2, (when i tested step 6) the hits incresed count in the rule, but the implicit deny rule incresed too. my solution was created a new rule to permit return trafic
Step3: Firewall > Configuration > NAT Rules > Add Access Rule. Interface=DMZ, Action=Permit, Source=any, Destination=209.165.201.30 Service=tcp/http
Step4: Firewall > Configuration> Service policy Rules > Click Global Policy and edit, Rule Action tab, Click ICMP and apply
Step5: from Inside PC Ping www.cisco.com
Step6: from Outside Pc > Firefox > http://209.165.201.30