Solved: Thank you Jose!I actually

HIeu Phan · ‎04-18-2014

hi everyone,

I'm running into an odd situation with DMZ config on 9.0(3). I manage to get it to work with an ANY statement, but i hate that.

So below is how my current traffic is

INSIDE--------------------------> DMZ --------nat-------->OUTSIDE

192.168.3.4/24 192.168.1.55 x.x.x.55

Right now 192.168.1.55 (DMZ) can reach both inside and outside perfectly fine. However, because i use an ANY statement, the host in DMZ is actually able to reach the entire INSIDE subnet. I don't want that. I just want it to be able to reach 192.168.3.4 only.

Below is my config (i remove lines that are unneccessary)

!

interface Port-channel1.102
vlan 102
nameif outside
security-level 0
ip address 66.111.20.252 255.255.255.0
!
!
interface Port-channel3.7
vlan 7
nameif dmz
security-level 50
ip address 192.168.1.251 255.255.255.0
!
interface Port-channel5
nameif inside
security-level 100
ip address 192.168.3.250 255.255.255.0
!
object network Internal-LAN2_Network
subnet 192.168.3.0 255.255.255.0

object network Hieu-DMZ-Laptop

host 192.168.1.55

object network DMZ_Network
subnet 192.168.1.0 255.255.255.0
object network Hieu-WAN-Laptop
host 66.111.20.55
object network CORE-Management-VLAN2
host 192.168.3.4
object network WAN_Network
subnet 66.111.20.0 255.255.255.0
!

access-list dmz_access_in extended permit ip object Hieu-DMZ-Laptop object CORE-Management-VLAN2
access-list dmz_access_in extended permit ip object Hieu-DMZ-Laptop any
access-list outside_access_in extended permit ip any object Hieu-DMZ-Laptop
!

!
object network Internal-LAN2_Network
nat (inside,dmz) static Internal-LAN2_Network
object network Hieu-DMZ-Laptop
nat (dmz,outside) static Hieu-WAN-Laptop
!
nat (any,outside) after-auto source dynamic any interface description INSIDE_OUTBOUND_NAT

!

access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

!

route outside 0.0.0.0 0.0.0.0 65.115.229.1 1
!

joseoroz · ‎04-24-2014

Hello oldstu12a4,

The situation is that as you know the firewall needs an access-list to permit traffic that comes from a lower security level to a higher one. Once you create the inbound access list on the DMZ to permit the specific host on the inside if you don't permit traffic from the source to any you are going to lost connectivity to the internet.

The way to work this is to use the access-list to permit what you need and then deny what you don't using the hierarchical properties of the acl.

It goes something like this:

nameif outside
security-level 0
ip address 66.111.20.252 255.255.255.0

nameif dmz
security-level 50
ip address 192.168.1.251 255.255.255.0

nameif inside
security-level 100
ip address 192.168.3.250 255.255.255.0

First you permit from DMZ to inside (lower to higher)

EX:

access-list dmz_access_in permit ip object Hieu-DMZ-Laptop object CORE-Management-VLAN2--->with this one you include what you need to allow.
access-list dmz_access_in deny ip any 192.168.3.0 255.255.255.0----> on this one you deny access to the inside network.
access-list dmz_access_in permit 192.168.1.0 255.255.255.0 any ----->With this one you permit access from the DMZ range to the internet.

****Please review this configuration and let me know if you have any question. Its very important that you feel comfortable and analyze the variables as this could block the access to host to needed resources if we are not careful.

View solution in original post

joseoroz · ‎04-24-2014

Hello oldstu12a4,

The situation is that as you know the firewall needs an access-list to permit traffic that comes from a lower security level to a higher one. Once you create the inbound access list on the DMZ to permit the specific host on the inside if you don't permit traffic from the source to any you are going to lost connectivity to the internet.

The way to work this is to use the access-list to permit what you need and then deny what you don't using the hierarchical properties of the acl.

It goes something like this:

nameif outside
security-level 0
ip address 66.111.20.252 255.255.255.0

nameif dmz
security-level 50
ip address 192.168.1.251 255.255.255.0

nameif inside
security-level 100
ip address 192.168.3.250 255.255.255.0

First you permit from DMZ to inside (lower to higher)

EX:

access-list dmz_access_in permit ip object Hieu-DMZ-Laptop object CORE-Management-VLAN2--->with this one you include what you need to allow.
access-list dmz_access_in deny ip any 192.168.3.0 255.255.255.0----> on this one you deny access to the inside network.
access-list dmz_access_in permit 192.168.1.0 255.255.255.0 any ----->With this one you permit access from the DMZ range to the internet.

****Please review this configuration and let me know if you have any question. Its very important that you feel comfortable and analyze the variables as this could block the access to host to needed resources if we are not careful.

HIeu Phan · ‎04-25-2014

Thank you Jose!

I actually create a rule pretty similar to what you stated.

Things are working really good now.

Thank you for your help

ASA 9.0(3) - host in DMZ to access internet