I have a host in the DMZ that doesn't need to be accessed from the outside but I would like to have internet available when doing troubleshooting, researching, etc. I don't want to waste an outside IP just for this server to access the web.
My idea is to create a nat (dmz) and associate it with the global (outside). Then create an ACL
access-list DMZ permit tcp host x.x.x.x any eq 80
access-list DMZ permit tcp host x.x.x.x any eq 443
Can you check and tell me if it is OK?
Is there any security concerns by doing it this way?
Is there a better (more secure) way to accomplish this?
Thanks in advanced. RG
You can do it like this
nat (dmz) 1 x.x.x.x netmask 255.255.255.255
global (outside) 1 interface
Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.
On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 220.127.116.11 as an example