cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


724
Views
10
Helpful
8
Replies
Beginner

Allow Webserver (DMZ) access to Wordpress.org

I am fairly new to ASAs.  I have a webserver in my DMZ that I need to allow access to wordpress.org.  Could anyone please help me in the setup with this?  Currently, my DMZ does not have internet access by design. 

Web Server IP (DMZ): 172.100.1.10    

LAN (Inside): 192.100.1.0/24

Any help is appreciated!!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Rising star

Re: Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

View solution in original post

8 REPLIES 8
Rising star

Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Do you have additional public IP to use for DMZ host translation or you need existing out side IP only?

What is the ASA OS version?

You need to restric access to wordpress.org (firm requirement)  or general internet access from the webserver is fine?

Post current config from ASA as well.

Thx

MS

Beginner

Re: Allow Webserver (DMZ) access to Wordpress.org

I do not have an additional public IP.

I need a webserver to be able to access the internet, specifically www.wordpress.org.  

Config attached, please note that IPs and other config has been changed.

ASA Version 8.2(4)4
!
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
switchport access vlan 15
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.74 255.255.255.248
!
interface Vlan15
nameif DMZ
security-level 50
ip address 172.100.1.254 255.255.255.0
!

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Modify the ACL:

access-list DMZ_Access_In permit tcp any any eq 80

access-list DMZ_Access_In permit tcp any any eq 443

access-list DMZ_Access_In  permit udp any any eq 53

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

Re: Allow Webserver (DMZ) access to Wordpress.org

Thanks for the response, Julio.  I will apply the above and let you know! 

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello Tyler,

Sure let me know,

Remember to rate all the posts, that is as importan as a thank you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Rising star

Re: Allow Webserver (DMZ) access to Wordpress.org

Hi Tyler,

Julio's suggestion works perfect for you and if you want to restric your webserver communication to inside, consider adding the below ..

access-list DMZ_Access_In extended permit tcp host 172.100.1.64 host 10.10.1.21 eq 1433

access-list DMZ_Access_In extended permit icmp any any echo-reply

----------

access-list DMZ_Access_In extended deny ip any 10.10.1.0  255.255.255.0   (restrict any further communication from DMZ to inside subnet)

If you use internal DNS servers, then allow the port 53 to those servers as 2nd access-list line.

Julio, please correct if I miss anything.

Thx

MS

View solution in original post

Re: Allow Webserver (DMZ) access to Wordpress.org

Hello,

That is correct, if restriction to the internal subnet is required that is how you need to do it,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Re: Allow Webserver (DMZ) access to Wordpress.org

Thanks for the help!  Seems everything is working the way we want it to.  Just need to add a host record for the websites that we need now on DNS.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here