10-24-2007 02:19 PM - edited 03-05-2019 07:18 PM
I have an exchange server sitting in my DMZ, IP addy 10.x.x.x and I want users in my internal network, 172.x.x.x, to be able to access it via ports 80 and 443 for OWA. What would the ACLs for this look like?
10-24-2007 02:59 PM
If it's PIX/ASA then with the default configuration you don't need ACL for access from inside to DMZ. The only thing that you would need is NAT or no-nat. Something like this should take care of it.
nat (inside) 1 access-list test
global (dmz) 1 interface
access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq www
access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq https
If I have not understood your setup or requirement correct just provide more details so that we could help you better.
HTH
Sundar
10-24-2007 05:18 PM
I had that entry but my WAN guy told me
"Your DMZ ACL is applied inbound on the DMZ interface so there is no way 216.x subnet is going to be the source"
These are these entries I had:
access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 80
access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 443
10-24-2007 03:08 PM
PIX
access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 80
access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 443
10-24-2007 06:35 PM
Can you make sense of this, i think smtp is allowed in but not out, what entries would i make?
Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3743 dst outside:216.39.53.2/25 by access-group "DMZ"
Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3744 dst outside:209.191.118.103/25 by access-group "DMZ"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: