Accessing DMZ from one IP

michalberanek1 · ‎02-17-2016

Hi all,

I would like to kindly ask you for help with configuration of Cisco ASA 5505. Need to say that I am beginner in ASA networking :)

I have standard network model configured on ASA. DMZ,OUTSIDE,INSIDE. In DMZ I have application server which needs to communicate with DB server in inside. I know that best practise is to disable all communication from DMZ to inside but I can't do it in different way now. So my question has two parts.

1) how to allow communication between DMZ and inside on one specific port (MSSQL)?

2) as I will create some potencional threat because of opening communication between DMZ and inside, I would like to allow communication from outside to DMZ on 443 (also certificate will be need to access application server) and also allow this communication only from one specific outside IP address. Only one organization with public IP will need to connect to our appsrv.

Many thanks for your answers

Philip D'Ath · ‎02-18-2016

First create some objects to make a nice config.

object network application-server-name
 host x.x.x.x
object network db-server-name
 host x.x.x.x

Then create a rule to allow traffic from DMZ to inside.

access-list dmz_access_in extended permit tcp object application-server-name object db-server-name eq <tcp port>

access-group dmz_access_in in interface dmz

Then create an object NAT rule for the application server. In this case, I'm going to assume you are using the firewall's IP address itself.

object network application-server-name
   nat (dmz,outside) static interface service tcp 443 443

And lastly, you need a rule on the outside interface to allow the traffic in.

access-list outside_access_in extended permit tcp any object application-server-name eq 443

access-group outside_access_in in interface outside