08-13-2012 11:58 AM - edited 03-11-2019 04:41 PM
Hi everyone,
I have a host in the DMZ that doesn't need to be accessed from the outside but I would like to have internet available when doing troubleshooting, researching, etc. I don't want to waste an outside IP just for this server to access the web.
My idea is to create a nat (dmz) and associate it with the global (outside). Then create an ACL
access-list DMZ permit tcp host x.x.x.x any eq 80
access-list DMZ permit tcp host x.x.x.x any eq 443
Can you check and tell me if it is OK?
Is there any security concerns by doing it this way?
Is there a better (more secure) way to accomplish this?
Thanks in advanced. RG
Solved! Go to Solution.
08-13-2012 12:16 PM
Hello,
You can do it like this
nat (dmz) 1 x.x.x.x netmask 255.255.255.255
global (outside) 1 interface
Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.
On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example
Regards.
08-13-2012 12:16 PM
Hello,
You can do it like this
nat (dmz) 1 x.x.x.x netmask 255.255.255.255
global (outside) 1 interface
Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.
On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example
Regards.
08-13-2012 02:12 PM
In adition to that what jcarvaja said, there is a problem with your ACL. Depending on the rest of your config (i.e. NAT-exemption or "static (inside,dmz)") it could be that you have opened up your internal network for TCP/80 and tcp/443 from the DMZ-host. The destination "any" is not the internet. It includes also your inside and every other network you have on your ASA.
For that my DMZ-ACLs typically look like that:
access-list DMZ deny ip any object-group RFC1918
access-list DMZ permit tcp host x.x.x.x any eq 80
Everything above the line with the object-group specifies the traffic from the DMZ into the internal network, everything below the line is for the traffic to the internet.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: