08-30-2012 07:25 AM - edited 03-11-2019 04:47 PM
I am fairly new to ASAs. I have a webserver in my DMZ that I need to allow access to wordpress.org. Could anyone please help me in the setup with this? Currently, my DMZ does not have internet access by design.
Web Server IP (DMZ): 172.100.1.10
LAN (Inside): 192.100.1.0/24
Any help is appreciated!!
Solved! Go to Solution.
08-30-2012 09:45 AM
Hello Tyler,
Modify the ACL:
access-list DMZ_Access_In permit tcp any any eq 80
access-list DMZ_Access_In permit tcp any any eq 443
access-list DMZ_Access_In permit udp any any eq 53
Regards,
Julio
08-30-2012 10:23 AM
Hi Tyler,
Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..
access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433
access-list DMZ_Access_In extended permit icmp any any echo-reply
----------
access-list DMZ_Access_In extended deny ip any 10.10.1.0 255.255.255.0 (restrict any further communication from DMZ to inside subnet)
If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.
Julio, please correct if I miss anything.
Thx
MS
08-30-2012 08:03 AM
Hi Tyler,
Do you have additional public IP to use for DMZ host translation or you need existing out side IP only?
What is the ASA OS version?
You need to restric access to wordpress.org (firm requirement) or general internet access from the webserver is fine?
Post current config from ASA as well.
Thx
MS
08-30-2012 08:31 AM
I do not have an additional public IP.
I need a webserver to be able to access the internet, specifically www.wordpress.org.
Config attached, please note that IPs and other config has been changed.
ASA Version 8.2(4)4
!
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
switchport access vlan 15
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.74 255.255.255.248
!
interface Vlan15
nameif DMZ
security-level 50
ip address 172.100.1.254 255.255.255.0
!
08-30-2012 09:45 AM
Hello Tyler,
Modify the ACL:
access-list DMZ_Access_In permit tcp any any eq 80
access-list DMZ_Access_In permit tcp any any eq 443
access-list DMZ_Access_In permit udp any any eq 53
Regards,
Julio
08-30-2012 09:46 AM
Thanks for the response, Julio. I will apply the above and let you know!
08-30-2012 09:56 AM
Hello Tyler,
Sure let me know,
Remember to rate all the posts, that is as importan as a thank you
08-30-2012 10:23 AM
Hi Tyler,
Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..
access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433
access-list DMZ_Access_In extended permit icmp any any echo-reply
----------
access-list DMZ_Access_In extended deny ip any 10.10.1.0 255.255.255.0 (restrict any further communication from DMZ to inside subnet)
If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.
Julio, please correct if I miss anything.
Thx
MS
08-30-2012 10:28 AM
Hello,
That is correct, if restriction to the internal subnet is required that is how you need to do it,
Regards,
Julio
09-04-2012 11:27 AM
Thanks for the help! Seems everything is working the way we want it to. Just need to add a host record for the websites that we need now on DNS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: