https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993815#M941462 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>Brettilborrow: </P><P></P><P>I have an ACL on my DMZ, so I solved the problem then by doing just as you described it.</P><P></P><P>I was hoping tho that there was a better way then having to implent an "deny ip <INTERNAL networks="">" at the start of the ACL. And then putting the "permit ip any any" to give internal DMZ hosts access to the internet.</INTERNAL></P><P></P><P>But regarding the ACL, im going from an higher sec-level and towards an lower interface when going "outside" arent I? my DMZ hosts should only get an denied when encountering my other higher sec-level DMZ/inside interface.</P><P></P><P>Thanks, appreciate the help!</P></BODY></HTML> Thu, 06 Mar 2008 10:42:32 GMT azore2007 2008-03-06T10:42:32Z https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993812#M941450 <P>Hi!</P><P></P><P>I'm abit confused and need some config help</P><P></P><P>How would you configure your PIX/ASA to let your DMZ which has a public IP-Network access to the internet without NAT'ing it through the outside interface</P><P>And without giving the DMZ access anything else (like other DMZ,internal networks etc)</P><P></P><P>Interface Outside</P><P>Public IP-Address/NW</P><P>Sec-level 0</P><P></P><P>Interface DMZ </P><P>Public IP-Address/NW</P><P>Sec-Level 20</P><P></P><P>Interface Inside</P><P>Internal IP Address/NW</P><P>Sec 100</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (dmz) 0 0.0.0.0 0.0.0.0</P><P></P><P>static (dmz,outside) dmz_nw dmz_nw</P><P></P><P>Shouldnt this be enough to let my DMZ out and able to access the internet without using my outside interface IP</P><P></P><P></P><P>I have nat-control active also </P><P></P><P>Do I make sense? </P><P></P><P>Thanks</P> Mon, 11 Mar 2019 12:12:38 GMT https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993812#M941450 azore2007 2019-03-11T12:12:38Z https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993813#M941456 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The config you have should be enough to allow access to the internet for your DMZ hosts, provided that you do not have an acl applied to the DMZ interface. </P><P></P><P>If you do have an acl applied, you will need to modify the acl to permit the outbound traffic. </P><P></P><P>e.g: </P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80</P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443</P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53</P><P></P><P></P><P>NOTE: If you want to restrict access from the DMZ to your internal network on the ports mentioned above (you may have noticed the 'any' keyword used as the destination), then you need to add the following to your acl BEFORE the above mentioned lines:</P><P></P><P>e.g:</P><P>access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK</P><P></P><P></P><P>COMMAND SUMMARY:</P><P>access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK</P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80</P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443</P><P>access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53</P><P></P><P></P><P>NOTES ON NATTING ON ASA:</P><P>Try to remember this: 'statics' override 'nats' for outbound connectivity, unless you specify a 'nat 0'.</P><P></P><P>In your case you have a static and a nat that covers the DMZ hosts, and taking the above into account, the NAT 0 statement will be used for the outbound connections. </P><P></P><P>Hope this helps!</P><P></P></BODY></HTML> Wed, 05 Mar 2008 16:47:54 GMT https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993813#M941456 brettmilborrow 2008-03-05T16:47:54Z https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993814#M941458 <HTML><HEAD></HEAD><BODY><P>nat (dmz) 0 0.0.0.0 0.0.0.0 </P><P></P><P>will allow DMZ to access Internal networks as well. Delete it, and you should be ok.</P></BODY></HTML> Wed, 05 Mar 2008 21:52:50 GMT https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993814#M941458 kaachary 2008-03-05T21:52:50Z https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993815#M941462 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>Brettilborrow: </P><P></P><P>I have an ACL on my DMZ, so I solved the problem then by doing just as you described it.</P><P></P><P>I was hoping tho that there was a better way then having to implent an "deny ip <INTERNAL networks="">" at the start of the ACL. And then putting the "permit ip any any" to give internal DMZ hosts access to the internet.</INTERNAL></P><P></P><P>But regarding the ACL, im going from an higher sec-level and towards an lower interface when going "outside" arent I? my DMZ hosts should only get an denied when encountering my other higher sec-level DMZ/inside interface.</P><P></P><P>Thanks, appreciate the help!</P></BODY></HTML> Thu, 06 Mar 2008 10:42:32 GMT https://community.cisco.com/t5/network-security/giving-dmz-internet-access-only/m-p/993815#M941462 azore2007 2008-03-06T10:42:32Z