Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to Allow Traffic from DMZ to Internet and Block trafic from DMZ to Internal

Dear Support,

I have an ASA 5520 with the below config

Gi0/0: outside (Internet)

Gi0/1: inside (Internal users)

Gi0/2: DMZ (web servers, ftp, Mail etc..)

I have a SMTP relay deployed on the DMZ for mailing.

I have also a mail servers installed in the internal lan,

I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.

How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?

For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

Please, help me

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

How to Allow Traffic from DMZ to Internet and Block trafic from

Hello Zain,

Well is just a matter of playing with the ACL lines. Here is an example.

Internal Lan 10.0.0.0/24

DMZ 172.16.10.0/24

SMTP server on inside 10.0.0.10

Mail Relay on DMZ 172.16.10.10

Consider the following access list:

access-list DMZ_OUT permit tcp host 172.16.10.10 host 10.0.0.10 eq 25

access-list DMZ_OUT deny ip any 10.0.0.0 255.255.255.0

access-list DMZ_OUT permit ip any any

That list (read from top to bottom as the ASA does) permits inbound traffic on port 25 to your mail server only, while denies the rest of the traffic to the Internal lan. The last line will give you access to internet.

Hope it helps.

Mike

Mike
2 REPLIES
Cisco Employee

How to Allow Traffic from DMZ to Internet and Block trafic from

Hello Zain,

Well is just a matter of playing with the ACL lines. Here is an example.

Internal Lan 10.0.0.0/24

DMZ 172.16.10.0/24

SMTP server on inside 10.0.0.10

Mail Relay on DMZ 172.16.10.10

Consider the following access list:

access-list DMZ_OUT permit tcp host 172.16.10.10 host 10.0.0.10 eq 25

access-list DMZ_OUT deny ip any 10.0.0.0 255.255.255.0

access-list DMZ_OUT permit ip any any

That list (read from top to bottom as the ASA does) permits inbound traffic on port 25 to your mail server only, while denies the rest of the traffic to the Internal lan. The last line will give you access to internet.

Hope it helps.

Mike

Mike
Community Member

How to Allow Traffic from DMZ to Internet and Block trafic from

Many thanks Mike

This help me

Regards

2000
Views
0
Helpful
2
Replies
CreatePlease to create content