Solved: How to Allow Traffic from DMZ to Internet and Block trafic from DMZ to Internal

zain_gabon · ‎04-30-2012

Dear Support,

I have an ASA 5520 with the below config

Gi0/0: outside (Internet)

Gi0/1: inside (Internal users)

Gi0/2: DMZ (web servers, ftp, Mail etc..)

I have a SMTP relay deployed on the DMZ for mailing.

I have also a mail servers installed in the internal lan,

I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.

How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?

For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

Please, help me

Regards

Maykol Rojas · ‎05-02-2012

Hello Zain,

Well is just a matter of playing with the ACL lines. Here is an example.

Internal Lan 10.0.0.0/24

DMZ 172.16.10.0/24

SMTP server on inside 10.0.0.10

Mail Relay on DMZ 172.16.10.10

Consider the following access list:

access-list DMZ_OUT permit tcp host 172.16.10.10 host 10.0.0.10 eq 25

access-list DMZ_OUT deny ip any 10.0.0.0 255.255.255.0

access-list DMZ_OUT permit ip any any

That list (read from top to bottom as the ASA does) permits inbound traffic on port 25 to your mail server only, while denies the rest of the traffic to the Internal lan. The last line will give you access to internet.

Hope it helps.

Mike

View solution in original post

Maykol Rojas · ‎05-02-2012