https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240480#M860142 <P>Hi,</P><P></P><P>I'm wondering if there is an 'easy' way of allowing a host on a DMZ access to the internet (HTTP) but without allowing it access to the internet LAN (also HTTP).</P><P></P><P>To clarify the scenario, you have an ASA with 3 interfaces. Internal, DMZ, Outside. Lets assume NAT is sorted so can ignore any NATing. I want to allow a host on the DMZ access through the ASA to the internet (over TCP 80), but don't want that same host to have access to the LAN over TCP 80.</P><P></P><P>I maybe wrong but if you add a rule on the DMZ ACL, (source = host on the DMZ to have access to the internet, destination = any (internet), Service TCP 80) would this not also give the host on the DMZ access to the LAN interface (being as that falls into 'any') also?</P><P></P><P>So, is there a way of allow a host access to the internet, while still not allowing that host access to more secure networks, without having to add a deny rule also?</P><P></P><P>Thanks</P><P>Terry </P> Mon, 11 Mar 2019 15:27:36 GMT Terryn Barbarich 2019-03-11T15:27:36Z https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240480#M860142 <P>Hi,</P><P></P><P>I'm wondering if there is an 'easy' way of allowing a host on a DMZ access to the internet (HTTP) but without allowing it access to the internet LAN (also HTTP).</P><P></P><P>To clarify the scenario, you have an ASA with 3 interfaces. Internal, DMZ, Outside. Lets assume NAT is sorted so can ignore any NATing. I want to allow a host on the DMZ access through the ASA to the internet (over TCP 80), but don't want that same host to have access to the LAN over TCP 80.</P><P></P><P>I maybe wrong but if you add a rule on the DMZ ACL, (source = host on the DMZ to have access to the internet, destination = any (internet), Service TCP 80) would this not also give the host on the DMZ access to the LAN interface (being as that falls into 'any') also?</P><P></P><P>So, is there a way of allow a host access to the internet, while still not allowing that host access to more secure networks, without having to add a deny rule also?</P><P></P><P>Thanks</P><P>Terry </P> Mon, 11 Mar 2019 15:27:36 GMT https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240480#M860142 Terryn Barbarich 2019-03-11T15:27:36Z https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240481#M860143 <HTML><HEAD></HEAD><BODY><P>Write an acl and the first line would be a deny to the inside LAN, then a permit to any.</P><P></P><P>HTH&gt;</P></BODY></HTML> Tue, 05 May 2009 12:34:36 GMT https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240481#M860143 andrew.prince 2009-05-05T12:34:36Z https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240482#M860146 <HTML><HEAD></HEAD><BODY><P>Thanks Andrew sounds good.</P></BODY></HTML> Tue, 05 May 2009 15:08:07 GMT https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240482#M860146 Terryn Barbarich 2009-05-05T15:08:07Z https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240483#M860148 <HTML><HEAD></HEAD><BODY><P>np - glad to help.</P></BODY></HTML> Tue, 05 May 2009 15:09:11 GMT https://community.cisco.com/t5/network-security/allow-internet-access-without-using-any-with-asdm/m-p/1240483#M860148 andrew.prince 2009-05-05T15:09:11Z