Giving DMZ internet access only

Unanswered Question
Mar 5th, 2008
User Badges:

Hi!


I'm abit confused and need some config help


How would you configure your PIX/ASA to let your DMZ which has a public IP-Network access to the internet without NAT'ing it through the outside interface

And without giving the DMZ access anything else (like other DMZ,internal networks etc)


Interface Outside

Public IP-Address/NW

Sec-level 0


Interface DMZ

Public IP-Address/NW

Sec-Level 20


Interface Inside

Internal IP Address/NW

Sec 100


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 0.0.0.0 0.0.0.0


static (dmz,outside) dmz_nw dmz_nw


Shouldnt this be enough to let my DMZ out and able to access the internet without using my outside interface IP



I have nat-control active also


Do I make sense?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
brettmilborrow Wed, 03/05/2008 - 08:47
User Badges:

Hi,


The config you have should be enough to allow access to the internet for your DMZ hosts, provided that you do not have an acl applied to the DMZ interface.


If you do have an acl applied, you will need to modify the acl to permit the outbound traffic.


e.g:

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53



NOTE: If you want to restrict access from the DMZ to your internal network on the ports mentioned above (you may have noticed the 'any' keyword used as the destination), then you need to add the following to your acl BEFORE the above mentioned lines:


e.g:

access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK



COMMAND SUMMARY:

access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53



NOTES ON NATTING ON ASA:

Try to remember this: 'statics' override 'nats' for outbound connectivity, unless you specify a 'nat 0'.


In your case you have a static and a nat that covers the DMZ hosts, and taking the above into account, the NAT 0 statement will be used for the outbound connections.


Hope this helps!


azore2007 Thu, 03/06/2008 - 02:42
User Badges:

Hi!


Brettilborrow:


I have an ACL on my DMZ, so I solved the problem then by doing just as you described it.


I was hoping tho that there was a better way then having to implent an "deny ip " at the start of the ACL. And then putting the "permit ip any any" to give internal DMZ hosts access to the internet.


But regarding the ACL, im going from an higher sec-level and towards an lower interface when going "outside" arent I? my DMZ hosts should only get an denied when encountering my other higher sec-level DMZ/inside interface.


Thanks, appreciate the help!

kaachary Wed, 03/05/2008 - 13:52
User Badges:
  • Cisco Employee,

nat (dmz) 0 0.0.0.0 0.0.0.0


will allow DMZ to access Internal networks as well. Delete it, and you should be ok.

Actions

This Discussion