cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
10
Helpful
8
Replies

Allow Webserver (DMZ) access to Wordpress.org

tkamish22
Level 1
Level 1

I am fairly new to ASAs.  I have a webserver in my DMZ that I need to allow access to wordpress.org.  Could anyone please help me in the setup with this?  Currently, my DMZ does not have internet access by design. 

Web Server IP (DMZ): 172.100.1.10    

LAN (Inside): 192.100.1.0/24

Any help is appreciated!!

2 Accepted Solutions

Accepted Solutions

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

View solution in original post

8 Replies 8

mvsheik123
Level 7
Level 7

Hi Tyler,

Do you have additional public IP to use for DMZ host translation or you need existing out side IP only?

What is the ASA OS version?

You need to restric access to wordpress.org (firm requirement)  or general internet access from the webserver is fine?

Post current config from ASA as well.

Thx

MS

I do not have an additional public IP.

I need a webserver to be able to access the internet, specifically www.wordpress.org.  

Config attached, please note that IPs and other config has been changed.

ASA Version 8.2(4)4
!
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
switchport access vlan 15
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.74 255.255.255.248
!
interface Vlan15
nameif DMZ
security-level 50
ip address 172.100.1.254 255.255.255.0
!

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the response, Julio.  I will apply the above and let you know! 

Hello Tyler,

Sure let me know,

Remember to rate all the posts, that is as importan as a thank you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

Hello,

That is correct, if restriction to the internal subnet is required that is how you need to do it,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the help!  Seems everything is working the way we want it to.  Just need to add a host record for the websites that we need now on DNS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: