Access internet from DMZ

Answered Question
Aug 13th, 2012

Hi everyone,

I have a host in the DMZ that doesn't need to be accessed from the outside but I would like to have internet available when doing troubleshooting, researching, etc. I don't want to waste an outside IP just for this server to access the web.

My idea is to create a nat (dmz) and associate it with the global (outside). Then create an ACL

access-list DMZ permit tcp host x.x.x.x any eq 80

access-list DMZ permit tcp host x.x.x.x any eq 443

Can you check and tell me if it is OK?

Is there any security concerns by doing it this way?

Is there a better (more secure) way to accomplish this?

Thanks in advanced. RG

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 8 months ago

Hello,

You can do it like this

nat (dmz) 1 x.x.x.x netmask 255.255.255.255

global (outside) 1 interface

Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.

On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example

Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Julio Carvaja Mon, 08/13/2012 - 12:16

Hello,

You can do it like this

nat (dmz) 1 x.x.x.x netmask 255.255.255.255

global (outside) 1 interface

Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.

On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example

Regards.

Karsten Iwen Mon, 08/13/2012 - 14:12

In adition to that what jcarvaja said, there is a problem with your ACL. Depending on the rest of your config (i.e. NAT-exemption or "static (inside,dmz)") it could be that you have opened up your internal network for TCP/80 and tcp/443 from the DMZ-host. The destination "any" is not the internet. It includes also your inside and every other network you have on your ASA.

For that my DMZ-ACLs typically look like that:

access-list DMZ deny ip any object-group RFC1918

access-list DMZ permit tcp host x.x.x.x any eq 80

Everything above the line with the object-group specifies the traffic from the DMZ into the internal network, everything below the line is for the traffic to the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

Login or Register to take actions

This Discussion

Posted August 13, 2012 at 11:58 AM
Stats:
Replies:2 Avg. Rating:5
Views:246 Votes:0
Shares:0
Tags: acl, dmz, firewall
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446