Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow Webserver (DMZ) access to Wordpress.org

I am fairly new to ASAs.  I have a webserver in my DMZ that I need to allow access to wordpress.org.  Could anyone please help me in the setup with this?  Currently, my DMZ does not have internet access by design. 

Web Server IP (DMZ): 172.100.1.10    

LAN (Inside): 192.100.1.0/24

Any help is appreciated!!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

8 REPLIES

Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Do you have additional public IP to use for DMZ host translation or you need existing out side IP only?

What is the ASA OS version?

You need to restric access to wordpress.org (firm requirement)  or general internet access from the webserver is fine?

Post current config from ASA as well.

Thx

MS

New Member

Re: Allow Webserver (DMZ) access to Wordpress.org

I do not have an additional public IP.

I need a webserver to be able to access the internet, specifically www.wordpress.org.  

Config attached, please note that IPs and other config has been changed.

ASA Version 8.2(4)4
!
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
switchport access vlan 15
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.74 255.255.255.248
!
interface Vlan15
nameif DMZ
security-level 50
ip address 172.100.1.254 255.255.255.0
!

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Allow Webserver (DMZ) access to Wordpress.org

Thanks for the response, Julio.  I will apply the above and let you know! 

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Sure let me know,

Remember to rate all the posts, that is as importan as a thank you

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello,

That is correct, if restriction to the internal subnet is required that is how you need to do it,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Allow Webserver (DMZ) access to Wordpress.org

Thanks for the help!  Seems everything is working the way we want it to.  Just need to add a host record for the websites that we need now on DNS.

608
Views
10
Helpful
8
Replies