https://community.cisco.com/t5/network-security/dmz-design/m-p/961057#M939289 <HTML><HEAD></HEAD><BODY><P>#Allow outside to hit dmz server</P><P>static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255 </P><P>#Allow communication between inside and srv network</P><P>static (inside,srv) 172.18.1.0 172.18.1.0 netmask 255.255.224.0</P><P>#ACL for dmz interface</P><P>access-list dmz extended permit tcp host 10.10.2.x host <INSIDE.HOST> eq xxx</INSIDE.HOST></P><P>#Add additional permit statements here</P><P>#Now deny everything else to inside</P><P>access-list dmz extended deny ip any 172.18.1.0 255.255.224.0</P><P>#Now allow all other traffic outbound to internet from srv</P><P>access-list dmz extended permit ip any any</P><P>access-group dmz in interface srv</P><P></P></BODY></HTML> Tue, 15 Apr 2008 14:14:23 GMT acomiskey 2008-04-15T14:14:23Z https://community.cisco.com/t5/network-security/dmz-design/m-p/961056#M939287 <P>here is my dilemma, we have a dmz setup on an asa5520 where we are going to have a public web server that needs to access a backend sql database on the internal network.</P><P></P><P>I want to allow the server in the dmz to initiate with the internet as well as be accessible from the internet, and to be able to initiate with a few servers on the inside for backup processes. I also want to be able to manage dmz servers from the inside, restricted to a few specific ip addresses.</P><P></P><P>I know how to create acls in the dmz to allow access back to the internal network, however when i do this i am unable to then connect to the internet from the webserver in the dmz. right now i have taken out the specific acls and added one blanket acl to allow ip any any. However this gives me complete access to the internal network, but it also gives me internet access?</P><P></P><P>My question is what kind of acls do i need to write to </P><P></P><P>1. allow servers in the dmz to access the internet with its range of ip addresses. Some sort of Nat Statement?</P><P>2. allow servers in dmz to access specific internal servers</P><P>3. manage web servers in dmz from internal network.</P><P></P><P></P><P>I have taken out the static nat statement allowing the public ip of the web server in the dmz to be translated to the private ip. static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255</P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:31:28 GMT https://community.cisco.com/t5/network-security/dmz-design/m-p/961056#M939287 greg.blumberg 2019-03-11T12:31:28Z https://community.cisco.com/t5/network-security/dmz-design/m-p/961057#M939289 <HTML><HEAD></HEAD><BODY><P>#Allow outside to hit dmz server</P><P>static (srv,outside) MRI-Portal MRI-SRV netmask 255.255.255.255 </P><P>#Allow communication between inside and srv network</P><P>static (inside,srv) 172.18.1.0 172.18.1.0 netmask 255.255.224.0</P><P>#ACL for dmz interface</P><P>access-list dmz extended permit tcp host 10.10.2.x host <INSIDE.HOST> eq xxx</INSIDE.HOST></P><P>#Add additional permit statements here</P><P>#Now deny everything else to inside</P><P>access-list dmz extended deny ip any 172.18.1.0 255.255.224.0</P><P>#Now allow all other traffic outbound to internet from srv</P><P>access-list dmz extended permit ip any any</P><P>access-group dmz in interface srv</P><P></P></BODY></HTML> Tue, 15 Apr 2008 14:14:23 GMT https://community.cisco.com/t5/network-security/dmz-design/m-p/961057#M939289 acomiskey 2008-04-15T14:14:23Z https://community.cisco.com/t5/network-security/dmz-design/m-p/961058#M939290 <HTML><HEAD></HEAD><BODY><P>thanks, this did the trick.</P></BODY></HTML> Tue, 15 Apr 2008 17:12:39 GMT https://community.cisco.com/t5/network-security/dmz-design/m-p/961058#M939290 greg.blumberg 2008-04-15T17:12:39Z