DMZ access from internal network

alvarezromeo · ‎10-24-2007

I have an exchange server sitting in my DMZ, IP addy 10.x.x.x and I want users in my internal network, 172.x.x.x, to be able to access it via ports 80 and 443 for OWA. What would the ACLs for this look like?

sundar.palaniappan · ‎10-24-2007

If it's PIX/ASA then with the default configuration you don't need ACL for access from inside to DMZ. The only thing that you would need is NAT or no-nat. Something like this should take care of it.

nat (inside) 1 access-list test

global (dmz) 1 interface

access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq www

access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq https

If I have not understood your setup or requirement correct just provide more details so that we could help you better.

HTH

Sundar

alvarezromeo · ‎10-24-2007

I had that entry but my WAN guy told me

"Your DMZ ACL is applied inbound on the DMZ interface so there is no way 216.x subnet is going to be the source"

These are these entries I had:

access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 80

access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 443

andersonsidney · ‎10-24-2007

PIX

access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 80

access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 443

alvarezromeo · ‎10-24-2007

Can you make sense of this, i think smtp is allowed in but not out, what entries would i make?

Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3743 dst outside:216.39.53.2/25 by access-group "DMZ"

Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3744 dst outside:209.191.118.103/25 by access-group "DMZ"