https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090944#M395468 <P>Hi I need some help here I have an ASA 5505 with the security bundle, latest ASA software 9.0(1).</P><P></P><P>I have 3 DMZs. I initially allowed them access to the internet using e.g.:</P><P>object network obj_dmz1 </P><P>subnet 192.168.1.0 255.255.255.0 </P><P>nat (dmz1,outside) dynamic interface </P><P></P><P>This was fine, except when I then created a rule to allow the DMZ to the internal network on one IP and port, they could no longer access the outside network at all. </P><P>I can add an access rule to allow access to any, but that is hardly what I want - that gives full access to the internal network. </P><P></P><P>I presume the issue is because the implicit rule allowing any to a less secure network no longer applies now that I have created a NAT rule. So, how can I allow the hosts in the DMZ to access the internet again?</P><P></P><P>Thanks    </P> Tue, 12 Mar 2019 00:24:38 GMT Hal Sclater 2019-03-12T00:24:38Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090944#M395468 <P>Hi I need some help here I have an ASA 5505 with the security bundle, latest ASA software 9.0(1).</P><P></P><P>I have 3 DMZs. I initially allowed them access to the internet using e.g.:</P><P>object network obj_dmz1 </P><P>subnet 192.168.1.0 255.255.255.0 </P><P>nat (dmz1,outside) dynamic interface </P><P></P><P>This was fine, except when I then created a rule to allow the DMZ to the internal network on one IP and port, they could no longer access the outside network at all. </P><P>I can add an access rule to allow access to any, but that is hardly what I want - that gives full access to the internal network. </P><P></P><P>I presume the issue is because the implicit rule allowing any to a less secure network no longer applies now that I have created a NAT rule. So, how can I allow the hosts in the DMZ to access the internet again?</P><P></P><P>Thanks    </P> Tue, 12 Mar 2019 00:24:38 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090944#M395468 Hal Sclater 2019-03-12T00:24:38Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090945#M395469 <HTML><HEAD></HEAD><BODY><P>Before the "permit any" you mentioned, add a "Deny all RFC 1918" (after the permit you already mentioned).</P><P></P><P>Karsten I. has a nice post <A _jive_internal="true" href="https://community.cisco.com/message/3737141#3737141">here</A> that explains this approach in more detail.</P></BODY></HTML> Sat, 17 Nov 2012 04:43:49 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090945#M395469 Marvin Rhoads 2012-11-17T04:43:49Z https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090946#M395470 <HTML><HEAD></HEAD><BODY><P>Thanks, that is exactly what I needed. </P><P></P><P>I eneded up with this, which lets the DMZHOST get to anywhere apart from the internal subnets:</P><P></P><P></P><P></P><P>access-list dmz2_access_in extended permit tcp object DMZHOST object MAILSERVER eq smtp </P><P>access-list dmz2_access_in extended deny ip any object-group RFC1918 </P><P>access-list dmz2_access_in extended permit ip object DMZHOST object obj_any </P><P></P><P>Works a treat, now the DMZHOST can access the Mailserver but nothing else internally, and go wherever it wants outside.</P><P></P><P>Thanks.</P></BODY></HTML> Sat, 17 Nov 2012 11:18:10 GMT https://community.cisco.com/t5/network-security/cisco-asa-dmz-access-outside/m-p/2090946#M395470 Hal Sclater 2012-11-17T11:18:10Z