Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2042
Views
0
Helpful
7
Replies

Allow DMZ server to contact the internet (http only).

Go to solution
Brendan Wood
Level 1
Level 1

‎07-07-2012 04:38 PM - edited ‎03-11-2019 04:27 PM

Hello,

I've set up my server in the DMZ.  I was able to make some rules to allow the dmz host to access for example, my SQL server on the inside.  It was just an ALLOW rule I had to make.

I would need this DMZ host (only this host, not the other DMZ members) to access HTTP on the internet... for windows update and for other things...

Most examples I find are all based on older versions of the ASA ... before the natting rules changed.   Please help me with this config... and keep in mind that I'm a beginner so you might be more effective to give concrete examples rather than general instructions.

here's my setup attached;

P.S.  The entries there which are for 172.21.20.2 are just attempts ...  forgot to remove them from my running-config.

Labels:
131185-running-config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2012 07:02 PM

Here you go:

access-list dmz_access_in extended deny ip object Webserver 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit tcp object Webserver any eq 80

The above will "deny" the webserver from accessing the internal network except those that you have already allowed earlier, and allow the webserver to access the internet on port 80.

If you also want to allow port 443 (HTTPS), then just add the following:

access-list dmz_access_in extended permit tcp object Webserver any eq 443

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2012 07:02 PM

Here you go:

access-list dmz_access_in extended deny ip object Webserver 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit tcp object Webserver any eq 80

The above will "deny" the webserver from accessing the internal network except those that you have already allowed earlier, and allow the webserver to access the internet on port 80.

If you also want to allow port 443 (HTTPS), then just add the following:

access-list dmz_access_in extended permit tcp object Webserver any eq 443

0 Helpful

Go to solution
Brendan Wood
Level 1
Level 1
In response to Jennifer Halim

‎07-07-2012 10:58 PM

Hi Jennifer,  your solution helped me fix my issue, but i had to add a few things to it.  I would just like to confirm what I did was correct.

In addition to the access-lists, I had to make a nat rule from DMZ to outside.  I also had to create an access list for permitting "tcp-udp/domain" because I saw that my dns was not working.

Am I on the right track?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brendan Wood

‎07-08-2012 02:17 AM

Correct, you would need NAT for the web server and access-list to permit DNS resolution (UDP/53) as follows:

object network WebserverDMZ

host 172.21.20.2

nat (dmz,outside) dynamic interface

access-list dmz_access_in extended permit udp object Webserver any eq 53

0 Helpful

Go to solution
Brendan Wood
Level 1
Level 1
In response to Jennifer Halim

‎07-13-2012 11:43 AM

Hi,

Not quite got it yet;

I've attached my configuration here;  with this configuration I am able to access the web host from the outside, but I cannot get to the internet from the web host.

It seems when I make changes suggested above, I can indeed access the internet from the DMZ.

Can someone please look at my sample config attached (took out unneccessary lines), and suggest modifications to achieve the following;

1) DMZ-WINDOWS1 should be hit when hit from requests from the internet.

2) DMZ-WINDOWS1 and DMZ-LINUX1 should be able to communicate with the outside (and domain, https, etc.)

Thanks in advance!

131583-running-config.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brendan Wood

‎07-17-2012 12:10 AM

You are missing the following line:

access-group dmz_access_in in interface dmz

The above will achieve your point number 2).

0 Helpful

Go to solution
Brendan Wood
Level 1
Level 1
In response to Jennifer Halim

‎07-21-2012 08:40 PM

Hello,

Unfortunately your solution didn't work ... but I made some changes to allow it to work but I was wondering if you can validate the setup.

I know there's a problem with it for DNS already.  Please see the following config;

interface Vlan1

nameif inside

security-level 100

ip address 172.20.20.1 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Acanac

ip address pppoe setroute

!

interface Vlan3

nameif dmz

security-level 50

ip address 172.21.20.1 255.255.255.0

dns server-group DefaultDNS

domain-name BRENDAN-WOOD.LOCAL

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network SRV-DMZ-LINUX1

host 172.21.20.3

description DMZ Linux Host 1

object network SRV-DMZ-WINDOWS1

host 172.21.20.2

description DMZ Windows Host 1

object network NETWORK_OBJ_10.20.20.0_27

subnet 10.20.20.0 255.255.255.224

object network TEST

host 172.21.20.2

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network SRV-DMZ-GROUP

network-object object SRV-DMZ-LINUX1

network-object object SRV-DMZ-WINDOWS1

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object tcp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP any

access-list OutsidetoDMZ extended permit object-group DM_INLINE_SERVICE_1 any object-group SRV-DMZ-GROUP

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.20.0_27 NETWORK_OBJ_10.20.20.0_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network SRV-DMZ-LINUX1

nat (dmz,outside) dynamic interface

object network SRV-DMZ-WINDOWS1

nat (dmz,outside) static interface service tcp www www

object network TEST

nat (dmz,outside) dynamic interface

access-group OutsidetoDMZ in interface outside

access-group dmz_access_in in interface dmz

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brendan Wood

‎07-22-2012 03:27 AM

DNS should be UDP instead of TCP, so your service object group should be change:

FROM:

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object tcp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

TO:

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card