Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dmz design

here is my dilemma, we have a dmz setup on an asa5520 where we are going to have a public web server that needs to access a backend sql database on the internal network.

I want to allow the server in the dmz to initiate with the internet as well as be accessible from the internet, and to be able to initiate with a few servers on the inside for backup processes. I also want to be able to manage dmz servers from the inside, restricted to a few specific ip addresses.

I know how to create acls in the dmz to allow access back to the internal network, however when i do this i am unable to then connect to the internet from the webserver in the dmz. right now i have taken out the specific acls and added one blanket acl to allow ip any any. However this gives me complete access to the internal network, but it also gives me internet access?

My question is what kind of acls do i need to write to

1. allow servers in the dmz to access the internet with its range of ip addresses. Some sort of Nat Statement?

2. allow servers in dmz to access specific internal servers

3. manage web servers in dmz from internal network.

I have taken out the static nat statement allowing the public ip of the web server in the dmz to be translated to the private ip. static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: dmz design

#Allow outside to hit dmz server

static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255

#Allow communication between inside and srv network

static (inside,srv) 172.18.1.0 172.18.1.0 netmask 255.255.224.0

#ACL for dmz interface

access-list dmz extended permit tcp host 10.10.2.x host eq xxx

#Add additional permit statements here

#Now deny everything else to inside

access-list dmz extended deny ip any 172.18.1.0 255.255.224.0

#Now allow all other traffic outbound to internet from srv

access-list dmz extended permit ip any any

access-group dmz in interface srv

2 REPLIES
Green

Re: dmz design

#Allow outside to hit dmz server

static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255

#Allow communication between inside and srv network

static (inside,srv) 172.18.1.0 172.18.1.0 netmask 255.255.224.0

#ACL for dmz interface

access-list dmz extended permit tcp host 10.10.2.x host eq xxx

#Add additional permit statements here

#Now deny everything else to inside

access-list dmz extended deny ip any 172.18.1.0 255.255.224.0

#Now allow all other traffic outbound to internet from srv

access-list dmz extended permit ip any any

access-group dmz in interface srv

New Member

Re: dmz design

thanks, this did the trick.

284
Views
0
Helpful
2
Replies