How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
What is the configuration required on ASA 5540 ?
Solved! Go to Solution.
I just did a quick packet capture to see if there was any remarcable difference between the query done autmatically by the computer or the one executed via nslookup and they are the same. Nothing changes. Since there is no verifiable way to differentiate one another, you may need to find a solution that can be implemented on the host itself.
I want to know.
How I can allow http request from dmz zone server to specifie outside webserver ( for eg 126.96.36.199)
Can you advice.
By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
Access-list DMZ permit tcp host
Access-list DMZ deny ip any any
access-group DMZ in interface DMZ
Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
Ok the last thing I want to ask
I have confgiured the public dns ip on my server interface ( eg 188.8.131.52) I want to make nslookup to google.com but ti gives me error request time-out but I create this rule on ASA for eg:
nat (DMZ-1) 10 172.16.1.202 255.255.255.255 tcp 0 0 udp 0
it works fine. I know this not secure to allow everything How can i successfully perform nslookup withou giving all access
I hope it's clear.