My customer needs to connect one servers system in particular DMZ, with other systems in corporate LAN. The requirement is that all LAN servers/workstations can reach the DMZ server over particular ports. In the opposige direction, this DMZ server, should be able to initiate traffic to some servers in corporate LAN. Also, the requirement is that this DMZ server can reach Internet, over the LAN interface, as this DMZ should be made on ASA FW, that protect only that server. The server IP address is (example): 192.168.2.100
For this task, we used ASA5510. I configured two interfaces, in a standard manner:
ip address 192.168.2.1 255.255.255.0
ip address 10.164.0.60 255.255.255.0
As custlan interface is on higher sec level, it can reach the custdmz2 network. To filter the traffic to only allowed ports, I added following access-list:
access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 709
access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 710
access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 829
access-group custlan_to_custdmz2 in interface custlan
To be able to initiate web traffic from DMZ server to some lan server, I added the following:
access-list custdmz2_to_custlan extended permit tcp host 192.168.2.100 any eq www
access-group custdmz2_to_custlan in interface custdmz2
At this point, I have all traffic working as expected, without traffic from custdmz2 to Internet, that should go over custlan interface (this ASA FW is not directly connected to Internet, but custlan interface is in LAN segment that is routed to other firewall that is the gateway to Internet.
OK, to be able to route the traffic to Internet GW, I need to add the route to the default gateway:
route custlan 0.0.0.0 0.0.0.0 10.164.0.1 1
Then, to be able to resolve DNS from custdmz2, I need the following:
access-list custdmz2_to_custlan extended permit udp any any eq domain
access-list custdmz2_to_custlan extended permit tcp any any eq domain
After that, what is needed is to configure corporate gateway system (firewall at 10.164.0.1) to route correctly traffic to subnet 192.168.2.0 (i.e. to zone custdmz2) and to allow traffic from that zone to Internet. And that's it.
But, customer asked me to configure our firewall in different way, in order not to change anything on main corporate firewall (gateway to the Internet). So, forget the Phase2!
What I can do, is to NAT traffic from custdmz2 to custlan zone, and that way, to get the traffic to the Internet, as custlan interface is already in a subnet that is allowed to pass traffic to the Internet. In order to do that, I can add the following:
nat (custdmz2) 1 192.168.2.0 255.255.255.0 outside
global (custlan) 1 interface
OK, now I have traffic from custdmz2 server to the Internet, without need to change configuration on the main corporate firewall system (10.164.0.1). But, at this moment, I am loosing traffic from custlan to custdmz2 server, due to NAT traffic.
I need help. How to retain all traffic rules from custlan to custdmz2, and from custdmz2 to custlan, but also to have traffic from custdmz2 to Internet, over custlan interface?