here is my dilemma, we have a dmz setup on an asa5520 where we are going to have a public web server that needs to access a backend sql database on the internal network.
I want to allow the server in the dmz to initiate with the internet as well as be accessible from the internet, and to be able to initiate with a few servers on the inside for backup processes. I also want to be able to manage dmz servers from the inside, restricted to a few specific ip addresses.
I know how to create acls in the dmz to allow access back to the internal network, however when i do this i am unable to then connect to the internet from the webserver in the dmz. right now i have taken out the specific acls and added one blanket acl to allow ip any any. However this gives me complete access to the internal network, but it also gives me internet access?
My question is what kind of acls do i need to write to
1. allow servers in the dmz to access the internet with its range of ip addresses. Some sort of Nat Statement?
2. allow servers in dmz to access specific internal servers
3. manage web servers in dmz from internal network.
I have taken out the static nat statement allowing the public ip of the web server in the dmz to be translated to the private ip. static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255
#Allow outside to hit dmz server
static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255
#Allow communication between inside and srv network
static (inside,srv) 172.18.1.0 172.18.1.0 netmask 255.255.224.0
#ACL for dmz interface
access-list dmz extended permit tcp host 10.10.2.x host eq xxx
#Add additional permit statements here
#Now deny everything else to inside
access-list dmz extended deny ip any 172.18.1.0 255.255.224.0
#Now allow all other traffic outbound to internet from srv
access-list dmz extended permit ip any any
access-group dmz in interface srv