Solved: Allow DMZ server to contact the internet (http only).

Brendan Wood · ‎07-07-2012

Hello,

I've set up my server in the DMZ. I was able to make some rules to allow the dmz host to access for example, my SQL server on the inside. It was just an ALLOW rule I had to make.

I would need this DMZ host (only this host, not the other DMZ members) to access HTTP on the internet... for windows update and for other things...

Most examples I find are all based on older versions of the ASA ... before the natting rules changed. Please help me with this config... and keep in mind that I'm a beginner so you might be more effective to give concrete examples rather than general instructions.

here's my setup attached;

P.S. The entries there which are for 172.21.20.2 are just attempts ... forgot to remove them from my running-config.

Jennifer Halim · ‎07-07-2012

Here you go:

access-list dmz_access_in extended deny ip object Webserver 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit tcp object Webserver any eq 80

The above will "deny" the webserver from accessing the internal network except those that you have already allowed earlier, and allow the webserver to access the internet on port 80.

If you also want to allow port 443 (HTTPS), then just add the following:

access-list dmz_access_in extended permit tcp object Webserver any eq 443

View solution in original post

Jennifer Halim · ‎07-07-2012

Here you go:

access-list dmz_access_in extended deny ip object Webserver 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit tcp object Webserver any eq 80

The above will "deny" the webserver from accessing the internal network except those that you have already allowed earlier, and allow the webserver to access the internet on port 80.

If you also want to allow port 443 (HTTPS), then just add the following:

access-list dmz_access_in extended permit tcp object Webserver any eq 443

Brendan Wood · ‎07-07-2012

Hi Jennifer, your solution helped me fix my issue, but i had to add a few things to it. I would just like to confirm what I did was correct.

In addition to the access-lists, I had to make a nat rule from DMZ to outside. I also had to create an access list for permitting "tcp-udp/domain" because I saw that my dns was not working.

Am I on the right track?

Jennifer Halim · ‎07-08-2012

Correct, you would need NAT for the web server and access-list to permit DNS resolution (UDP/53) as follows:

object network WebserverDMZ

host 172.21.20.2

nat (dmz,outside) dynamic interface

access-list dmz_access_in extended permit udp object Webserver any eq 53

Brendan Wood · ‎07-13-2012

Hi,

Not quite got it yet;

I've attached my configuration here; with this configuration I am able to access the web host from the outside, but I cannot get to the internet from the web host.

It seems when I make changes suggested above, I can indeed access the internet from the DMZ.

Can someone please look at my sample config attached (took out unneccessary lines), and suggest modifications to achieve the following;

1) DMZ-WINDOWS1 should be hit when hit from requests from the internet.

2) DMZ-WINDOWS1 and DMZ-LINUX1 should be able to communicate with the outside (and domain, https, etc.)

Thanks in advance!

Jennifer Halim · ‎07-17-2012

You are missing the following line:

access-group dmz_access_in in interface dmz

The above will achieve your point number 2).

Brendan Wood · ‎07-21-2012

Hello,

Unfortunately your solution didn't work ... but I made some changes to allow it to work but I was wondering if you can validate the setup.

I know there's a problem with it for DNS already. Please see the following config;

interface Vlan1

nameif inside

security-level 100

ip address 172.20.20.1 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Acanac

ip address pppoe setroute

!

interface Vlan3

nameif dmz

security-level 50

ip address 172.21.20.1 255.255.255.0

dns server-group DefaultDNS

domain-name BRENDAN-WOOD.LOCAL

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network SRV-DMZ-LINUX1

host 172.21.20.3

description DMZ Linux Host 1

object network SRV-DMZ-WINDOWS1

host 172.21.20.2

description DMZ Windows Host 1

object network NETWORK_OBJ_10.20.20.0_27

subnet 10.20.20.0 255.255.255.224

object network TEST

host 172.21.20.2

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network SRV-DMZ-GROUP

network-object object SRV-DMZ-LINUX1

network-object object SRV-DMZ-WINDOWS1

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object tcp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP any

access-list OutsidetoDMZ extended permit object-group DM_INLINE_SERVICE_1 any object-group SRV-DMZ-GROUP

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.20.0_27 NETWORK_OBJ_10.20.20.0_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network SRV-DMZ-LINUX1

nat (dmz,outside) dynamic interface

object network SRV-DMZ-WINDOWS1

nat (dmz,outside) static interface service tcp www www

object network TEST

nat (dmz,outside) dynamic interface

access-group OutsidetoDMZ in interface outside

access-group dmz_access_in in interface dmz

Jennifer Halim · ‎07-22-2012

DNS should be UDP instead of TCP, so your service object group should be change:

FROM:

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object tcp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

TO:

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq www

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https