Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
2
Replies

Access internet from DMZ

Go to solution
Limitless1801
Level 1
Level 1

‎08-13-2012 11:58 AM - edited ‎03-11-2019 04:41 PM

Hi everyone,

I have a host in the DMZ that doesn't need to be accessed from the outside but I would like to have internet available when doing troubleshooting, researching, etc. I don't want to waste an outside IP just for this server to access the web.

My idea is to create a nat (dmz) and associate it with the global (outside). Then create an ACL

access-list DMZ permit tcp host x.x.x.x any eq 80

access-list DMZ permit tcp host x.x.x.x any eq 443

Can you check and tell me if it is OK?

Is there any security concerns by doing it this way?

Is there a better (more secure) way to accomplish this?

Thanks in advanced. RG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-13-2012 12:16 PM

Hello,

You can do it like this

nat (dmz) 1 x.x.x.x netmask 255.255.255.255

global (outside) 1 interface

Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.

On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-13-2012 12:16 PM

Hello,

You can do it like this

nat (dmz) 1 x.x.x.x netmask 255.255.255.255

global (outside) 1 interface

Then you will be using the same interface than the ASA and just the host x.x.x.x will be able to go to the internet.

On the ACL you will need to have DNS UDP port 53 if you will be using an external dns let's say the ISP DNS or 4.2.2.2 as an example

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2012 02:12 PM

In adition to that what jcarvaja said, there is a problem with your ACL. Depending on the rest of your config (i.e. NAT-exemption or "static (inside,dmz)") it could be that you have opened up your internal network for TCP/80 and tcp/443 from the DMZ-host. The destination "any" is not the internet. It includes also your inside and every other network you have on your ASA.

For that my DMZ-ACLs typically look like that:

access-list DMZ deny ip any object-group RFC1918

access-list DMZ permit tcp host x.x.x.x any eq 80

Everything above the line with the object-group specifies the traffic from the DMZ into the internal network, everything below the line is for the traffic to the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card