Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
5
Helpful
3
Replies

Allow internet access without using 'any' with ASDM

Terryn Barbarich
Level 1
Level 1

‎05-05-2009 04:12 AM - edited ‎03-11-2019 08:27 AM

Hi,

I'm wondering if there is an 'easy' way of allowing a host on a DMZ access to the internet (HTTP) but without allowing it access to the internet LAN (also HTTP).

To clarify the scenario, you have an ASA with 3 interfaces. Internal, DMZ, Outside. Lets assume NAT is sorted so can ignore any NATing. I want to allow a host on the DMZ access through the ASA to the internet (over TCP 80), but don't want that same host to have access to the LAN over TCP 80.

I maybe wrong but if you add a rule on the DMZ ACL, (source = host on the DMZ to have access to the internet, destination = any (internet), Service TCP 80) would this not also give the host on the DMZ access to the LAN interface (being as that falls into 'any') also?

So, is there a way of allow a host access to the internet, while still not allowing that host access to more secure networks, without having to add a deny rule also?

Thanks

Terry

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎05-05-2009 05:34 AM

Write an acl and the first line would be a deny to the inside LAN, then a permit to any.

HTH>

Terryn Barbarich
Level 1
Level 1
In response to andrew.prince

‎05-05-2009 08:08 AM

Thanks Andrew sounds good.

0 Helpful

andrew.prince
Level 10
Level 10
In response to Terryn Barbarich

‎05-05-2009 08:09 AM

np - glad to help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card