cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
9
Replies

DMZ servers internet access

Stephen Sisson
Level 1
Level 1

Hello All

Need some help with our DMZ SERVERS?

We need our Web, VPN servers to have internet access, we configured the ACL to allow this, and the logs show this failing.

Do we need NAT plus the ACL to allow this?

Please give commands for ASDM - step-by-step on what we need to make this

Thank you

4 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I can help with the needed configurations on the CLI but not really with the ASDM as I dont use or want to use the ASDM for configurations purposes.

I would say that usually you need a NAT configurations for a network atleast. If the interface doesnt have any ACL then they are usually atleast allowed to access the Internet on the basis of the interfaces "security-level".

Could you share the logs you are seeing?

Or could you share the CLI format configuration?

You can do this also through ASDM by going to

  • Tools
  • Command Line Interface
  • Type "show run" (without the "")on the opening window and send the command to the ASA
  • Copy/paste output here wihtout any sensitive information like public IP addresses

- Jouni

View solution in original post

Hi,

You seem to have Dynamic PAT configurations for all DMZ hosts.

You also seem to have a couple of Static NAT configurations.

Since the IP addresses are masked I am not 100% sure if the public IP addresses are part of the same network that is configured on your "outside" interface. IF NOT then your problems might be due to missing this command "arp permit-nonconnected"

With regards to the ACL rules you only seem to have allowed traffic from a single host IP address on the DMZ. All other hosts traffic will therefore be blocked. So if you have other hosts other than the one that has an ACL rule then you will have to configure additional ACL rules to allow traffic for the rest of the hosts behind the DMZ interface.

- Jouni

View solution in original post

Hi,

If you want your DMZ hosts to be able to connect to Internet then you will have to add ACL rules to your current DMZ interfaces ACL to allow the outbound connections.

You wont have to allow the return traffic as the ASA is a statefull firewall which keeps track of the connections through it. So when a connections has already been allowed through the firewall (according to the ACL rule) then the return traffic for that particular connection/flow will be allowed back through the firewall.

- Jouni

View solution in original post

Hi,

That ACL rule wont allow traffic to everywhere on the "outside"

What it actually does is allow traffic from "any" source address to the IP address of the "outside" interface. And since you cant connect to an ASA interface from behind another interface it really wont have any effect.

If you wanted to allow all access from the DMZ you would have to simply use

access-list PCSFTP_access_in permit ip any any

Or alternatively use the actual DMZ network as the source address instead of "any"

Naturally this will allow traffic to other networks behind the ASA unless you blocke the traffic before doing this "permit ip any any" rule.

- Jouni

View solution in original post

9 Replies 9

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I can help with the needed configurations on the CLI but not really with the ASDM as I dont use or want to use the ASDM for configurations purposes.

I would say that usually you need a NAT configurations for a network atleast. If the interface doesnt have any ACL then they are usually atleast allowed to access the Internet on the basis of the interfaces "security-level".

Could you share the logs you are seeing?

Or could you share the CLI format configuration?

You can do this also through ASDM by going to

  • Tools
  • Command Line Interface
  • Type "show run" (without the "")on the opening window and send the command to the ASA
  • Copy/paste output here wihtout any sensitive information like public IP addresses

- Jouni

       removed

Hi,

You seem to have Dynamic PAT configurations for all DMZ hosts.

You also seem to have a couple of Static NAT configurations.

Since the IP addresses are masked I am not 100% sure if the public IP addresses are part of the same network that is configured on your "outside" interface. IF NOT then your problems might be due to missing this command "arp permit-nonconnected"

With regards to the ACL rules you only seem to have allowed traffic from a single host IP address on the DMZ. All other hosts traffic will therefore be blocked. So if you have other hosts other than the one that has an ACL rule then you will have to configure additional ACL rules to allow traffic for the rest of the hosts behind the DMZ interface.

- Jouni

All public address used on the ASA from same subnet 98.101.x.x /24

All we need is the "arp permit-nonconnected" , then create ACL to allow DMZ server access to the outside interface, do we need a return path ACL for this traffic?

Thank you Jouni

Hi,

If you want your DMZ hosts to be able to connect to Internet then you will have to add ACL rules to your current DMZ interfaces ACL to allow the outbound connections.

You wont have to allow the return traffic as the ASA is a statefull firewall which keeps track of the connections through it. So when a connections has already been allowed through the firewall (according to the ACL rule) then the return traffic for that particular connection/flow will be allowed back through the firewall.

- Jouni

I really appreciate you helping me with this; hate to make changes to something that works unless we know the results, really appreciate your experience with the ASA.

P/S have a nice quiet vacation

Thank you Jouni

Hi,

I put this ACL in place and still not allowed to use the internet from the DMZ servers, log showing the drops

     access-list PCSFTP_access_in line 3 remark ACL_DMZ_Internet_Access_7_19_13

     access-list PCSFTP_access_in line 4 extended permit ip any interface outside

Please help

Hi,

That ACL rule wont allow traffic to everywhere on the "outside"

What it actually does is allow traffic from "any" source address to the IP address of the "outside" interface. And since you cant connect to an ASA interface from behind another interface it really wont have any effect.

If you wanted to allow all access from the DMZ you would have to simply use

access-list PCSFTP_access_in permit ip any any

Or alternatively use the actual DMZ network as the source address instead of "any"

Naturally this will allow traffic to other networks behind the ASA unless you blocke the traffic before doing this "permit ip any any" rule.

- Jouni

That worked Jouni

Thank you my friend

Have a great vacation

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: