Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ access from internal network

I have an exchange server sitting in my DMZ, IP addy 10.x.x.x and I want users in my internal network, 172.x.x.x, to be able to access it via ports 80 and 443 for OWA. What would the ACLs for this look like?

4 REPLIES

Re: DMZ access from internal network

If it's PIX/ASA then with the default configuration you don't need ACL for access from inside to DMZ. The only thing that you would need is NAT or no-nat. Something like this should take care of it.

nat (inside) 1 access-list test

global (dmz) 1 interface

access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq www

access-list test extended permit tcp 172.x.x.x 255.255.255.0 host 10.x.x.x eq https

If I have not understood your setup or requirement correct just provide more details so that we could help you better.

HTH

Sundar

New Member

Re: DMZ access from internal network

I had that entry but my WAN guy told me

"Your DMZ ACL is applied inbound on the DMZ interface so there is no way 216.x subnet is going to be the source"

These are these entries I had:

access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 80

access-list DMZ permit tcp 172.0.216.0 255.255.255.0 host 10.x.x.x eq 443

New Member

Re: DMZ access from internal network

PIX

access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 80

access-list inside_in permit tcp host 10.0.0.0 255.0.0.0 host 172.x.x.x eq 443

New Member

Re: DMZ access from internal network

Can you make sense of this, i think smtp is allowed in but not out, what entries would i make?

Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3743 dst outside:216.39.53.2/25 by access-group "DMZ"

Oct 24 20:50:13 172.x.x.1 %PIX-4-106023: Deny tcp src DMZ:10.x.x.x/3744 dst outside:209.191.118.103/25 by access-group "DMZ"

122
Views
0
Helpful
4
Replies
CreatePlease to create content