https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952980#M439844 <HTML><HEAD></HEAD><BODY><P>You are missing the following line:</P><P></P><P>access-group dmz_access_in in interface dmz</P><P></P><P>The above will achieve your point number 2).</P></BODY></HTML> Tue, 17 Jul 2012 07:10:52 GMT Jennifer Halim 2012-07-17T07:10:52Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952975#M439837 <P>Hello,</P><P></P><P>I've set up my server in the DMZ.&nbsp; I was able to make some rules to allow the dmz host to access for example, my SQL server on the inside.&nbsp; It was just an ALLOW rule I had to make.</P><P></P><P>I would need this DMZ host (only this host, not the other DMZ members) to access HTTP on the internet... for windows update and for other things...</P><P></P><P>Most examples I find are all based on older versions of the ASA ... before the natting rules changed.&nbsp;&nbsp; Please help me with this config... and keep in mind that I'm a beginner so you might be more effective to give concrete examples rather than general instructions.</P><P></P><P>here's my setup attached;</P><P></P><P>P.S.&nbsp; The entries there which are for 172.21.20.2 are just attempts ...&nbsp; forgot to remove them from my running-config.</P> Mon, 11 Mar 2019 23:27:51 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952975#M439837 Brendan Wood 2019-03-11T23:27:51Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952976#M439839 <HTML><HEAD></HEAD><BODY><P>Here you go:</P><P></P><P><STRONG>access-list dmz_access_in extended deny ip object Webserver 172.20.20.0 255.255.254.0</STRONG></P><P><STRONG>access-list dmz_access_in extended permit tcp object Webserver any eq 80</STRONG></P><P></P><P>The above will "deny" the webserver from accessing the internal network except those that you have already allowed earlier, and allow the webserver to access the internet on port 80.</P><P>If you also want to allow port 443 (HTTPS), then just add the following:</P><P></P><P><STRONG>access-list dmz_access_in extended permit tcp object Webserver any eq 443</STRONG></P></BODY></HTML> Sun, 08 Jul 2012 02:02:36 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952976#M439839 Jennifer Halim 2012-07-08T02:02:36Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952977#M439841 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,&nbsp; your solution helped me fix my issue, but i had to add a few things to it.&nbsp; I would just like to confirm what I did was correct.</P><P></P><P>In addition to the access-lists, I had to make a nat rule from DMZ to outside.&nbsp; I also had to create an access list for permitting "tcp-udp/domain" because I saw that my dns was not working.</P><P></P><P>Am I on the right track?</P></BODY></HTML> Sun, 08 Jul 2012 05:58:30 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952977#M439841 Brendan Wood 2012-07-08T05:58:30Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952978#M439842 <HTML><HEAD></HEAD><BODY><P>Correct, you would need NAT for the web server and access-list to permit DNS resolution (UDP/53) as follows:</P><P></P><P><STRONG>object network WebserverDMZ</STRONG></P><P><STRONG> host 172.21.20.2</STRONG></P><P><STRONG> nat (dmz,outside) dynamic interface</STRONG></P><P></P><P><STRONG>access-list dmz_access_in extended permit udp object Webserver any eq 53</STRONG></P></BODY></HTML> Sun, 08 Jul 2012 09:17:00 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952978#M439842 Jennifer Halim 2012-07-08T09:17:00Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952979#M439843 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Not quite got it yet;</P><P></P><P>I've attached my configuration here;&nbsp; with this configuration I am able to access the web host from the outside, but I cannot get to the internet from the web host.</P><P></P><P>It seems when I make changes suggested above, I can indeed access the internet from the DMZ.</P><P></P><P>Can someone please look at my sample config attached (took out unneccessary lines), and suggest modifications to achieve the following;</P><P></P><P>1) DMZ-WINDOWS1 should be hit when hit from requests from the internet.</P><P>2) DMZ-WINDOWS1 and DMZ-LINUX1 should be able to communicate with the outside (and domain, https, etc.)</P><P></P><P>Thanks in advance!</P></BODY></HTML> Fri, 13 Jul 2012 18:43:03 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952979#M439843 Brendan Wood 2012-07-13T18:43:03Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952980#M439844 <HTML><HEAD></HEAD><BODY><P>You are missing the following line:</P><P></P><P>access-group dmz_access_in in interface dmz</P><P></P><P>The above will achieve your point number 2).</P></BODY></HTML> Tue, 17 Jul 2012 07:10:52 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952980#M439844 Jennifer Halim 2012-07-17T07:10:52Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952981#M439845 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Unfortunately your solution didn't work ... but I made some changes to allow it to work but I was wondering if you can validate the setup.</P><P></P><P>I know there's a problem with it for DNS already.&nbsp; Please see the following config;</P><P></P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 172.20.20.1 255.255.254.0</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> pppoe client vpdn group Acanac</P><P> ip address pppoe setroute</P><P>!</P><P>interface Vlan3</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 172.21.20.1 255.255.255.0</P><P></P><P></P><P>dns server-group DefaultDNS</P><P> domain-name BRENDAN-WOOD.LOCAL</P><P>object network obj_any</P><P> subnet 0.0.0.0 0.0.0.0</P><P>object network SRV-DMZ-LINUX1</P><P> host 172.21.20.3</P><P> description DMZ Linux Host 1</P><P>object network SRV-DMZ-WINDOWS1</P><P> host 172.21.20.2</P><P> description DMZ Windows Host 1</P><P>object network NETWORK_OBJ_10.20.20.0_27</P><P> subnet 10.20.20.0 255.255.255.224</P><P>object network TEST</P><P> host 172.21.20.2</P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>object-group network SRV-DMZ-GROUP</P><P> network-object object SRV-DMZ-LINUX1</P><P> network-object object SRV-DMZ-WINDOWS1</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq www</P><P> service-object tcp destination eq domain</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object tcp destination eq domain</P><P> service-object tcp destination eq www</P><P> service-object tcp destination eq https</P><P>access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0</P><P>access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP any</P><P>access-list OutsidetoDMZ extended permit object-group DM_INLINE_SERVICE_1 any object-group SRV-DMZ-GROUP</P><P></P><P></P><P>nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.20.0_27 NETWORK_OBJ_10.20.20.0_27 no-proxy-arp route-lookup</P><P>!</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P>object network SRV-DMZ-LINUX1</P><P> nat (dmz,outside) dynamic interface</P><P>object network SRV-DMZ-WINDOWS1</P><P> nat (dmz,outside) static interface service tcp www www</P><P>object network TEST</P><P> nat (dmz,outside) dynamic interface</P><P>access-group OutsidetoDMZ in interface outside</P><P>access-group dmz_access_in in interface dmz</P></BODY></HTML> Sun, 22 Jul 2012 03:40:27 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952981#M439845 Brendan Wood 2012-07-22T03:40:27Z https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952982#M439846 <HTML><HEAD></HEAD><BODY><P>DNS should be UDP instead of TCP, so your service object group should be change:</P><P></P><P>FROM:</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq www</P><P> service-object <STRONG>tcp</STRONG> destination eq domain</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object <STRONG>tcp</STRONG> destination eq domain</P><P> service-object tcp destination eq www</P><P> service-object tcp destination eq https</P><P></P><P>TO:</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq www</P><P> service-object <STRONG>udp</STRONG> destination eq domain</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object <STRONG>udp</STRONG> destination eq domain</P><P> service-object tcp destination eq www</P><P> service-object tcp destination eq https</P></BODY></HTML> Sun, 22 Jul 2012 10:27:56 GMT https://community.cisco.com/t5/network-security/allow-dmz-server-to-contact-the-internet-http-only/m-p/1952982#M439846 Jennifer Halim 2012-07-22T10:27:56Z