Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1421
Views
5
Helpful
3
Replies

Giving DMZ internet access only

azore2007
Level 1
Level 1

‎03-05-2008 08:28 AM - edited ‎03-11-2019 05:12 AM

Hi!

I'm abit confused and need some config help

How would you configure your PIX/ASA to let your DMZ which has a public IP-Network access to the internet without NAT'ing it through the outside interface

And without giving the DMZ access anything else (like other DMZ,internal networks etc)

Interface Outside

Public IP-Address/NW

Sec-level 0

Interface DMZ

Public IP-Address/NW

Sec-Level 20

Interface Inside

Internal IP Address/NW

Sec 100

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 0.0.0.0 0.0.0.0

static (dmz,outside) dmz_nw dmz_nw

Shouldnt this be enough to let my DMZ out and able to access the internet without using my outside interface IP

I have nat-control active also

Do I make sense?

Thanks

Labels:
0 Helpful
3 Replies 3

brettmilborrow
Level 1
Level 1

‎03-05-2008 08:47 AM

Hi,

The config you have should be enough to allow access to the internet for your DMZ hosts, provided that you do not have an acl applied to the DMZ interface.

If you do have an acl applied, you will need to modify the acl to permit the outbound traffic.

e.g:

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53

NOTE: If you want to restrict access from the DMZ to your internal network on the ports mentioned above (you may have noticed the 'any' keyword used as the destination), then you need to add the following to your acl BEFORE the above mentioned lines:

e.g:

access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK

COMMAND SUMMARY:

access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443

access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53

NOTES ON NATTING ON ASA:

Try to remember this: 'statics' override 'nats' for outbound connectivity, unless you specify a 'nat 0'.

In your case you have a static and a nat that covers the DMZ hosts, and taking the above into account, the NAT 0 statement will be used for the outbound connections.

Hope this helps!

azore2007
Level 1
Level 1
In response to brettmilborrow

‎03-06-2008 02:42 AM

Hi!

Brettilborrow:

I have an ACL on my DMZ, so I solved the problem then by doing just as you described it.

I was hoping tho that there was a better way then having to implent an "deny ip " at the start of the ACL. And then putting the "permit ip any any" to give internal DMZ hosts access to the internet.

But regarding the ACL, im going from an higher sec-level and towards an lower interface when going "outside" arent I? my DMZ hosts should only get an denied when encountering my other higher sec-level DMZ/inside interface.

Thanks, appreciate the help!

0 Helpful

kaachary
Cisco Employee
Cisco Employee

‎03-05-2008 01:52 PM

nat (dmz) 0 0.0.0.0 0.0.0.0

will allow DMZ to access Internal networks as well. Delete it, and you should be ok.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card