Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
0
Helpful
9
Replies

Back to back dmz

EmekaNwokeji1398
Level 1
Level 1

‎07-30-2021 09:26 AM

Hello I have two asa firewall switches connected in between a server dmz. One of the switches is configured to allow the dmz to access the internet. But I'm having trouble on the second switch because I want the inside host to be able to talk to the dmz but not have internet access. What is the acl command to do that?

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎07-30-2021 09:36 AM

@EmekaNwokeji1398 

Hard to tell without seeing your network topology or configuration, but you just need to be specific in your destination IP/network on the ASA.

 

object network INSIDE-NET
 subnet 192.168.1.0 255.255.255.0
object network DMZ-SERVER
 host 192.168.10.5
!
access-list ACL extended permit ip object INSIDE-NET object DMZ-SERVER

The example above will permit traffic from the INSIDE network to the DMZ server IP address. Amend accordingly to fit your environment.

0 Helpful

EmekaNwokeji1398
Level 1
Level 1
In response to Rob Ingram

‎07-30-2021 09:43 AM

Will that allow the inside network to talk to the internet because I want to deny it.

0 Helpful

Rob Ingram
VIP
VIP
In response to EmekaNwokeji1398

‎07-30-2021 09:46 AM

@EmekaNwokeji1398 

No, that will only allow the inside network to communicate with the DMZ server. By default any traffic not specifically permitted will be denied, therefore no internet access.

0 Helpful

EmekaNwokeji1398
Level 1
Level 1
In response to Rob Ingram

‎07-30-2021 10:32 AM

Will the dmz be able to communicate to the inside network because the default security of the dmz is less than the security of inside?

0 Helpful

Rob Ingram
VIP
VIP
In response to EmekaNwokeji1398

‎07-30-2021 10:38 AM

@EmekaNwokeji1398 

If you have an ACL from inside to dmz (like suggested above) and traffic is initiated from the inside network to the dmz, the dmz network will be able to automatically respond.

 

If the traffic is initiated from the dmz to the inside network, then you will need another ACL to permit the traffic to the inside network.

0 Helpful

EmekaNwokeji1398
Level 1
Level 1
In response to Rob Ingram

‎07-30-2021 11:08 AM

Okay. What would happen if I had the outside firewall for dmz to outside set the ACL extended permit ip any any will that affect the inside?

0 Helpful

Rob Ingram
VIP
VIP
In response to EmekaNwokeji1398

‎07-30-2021 11:15 AM

@EmekaNwokeji1398 

If that rule is configured inbound on the DMZ interface, then yes the DMZ can communicate with the inside network.

 

If you intention is to not permit internet access from the inside, configure specific ACLs and ensure you permit exactly what you need. You could also make sure you have no nat rules from inside to outside, if there are no nat rules the inside network cannot hope to communicate with the internet.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-30-2021 09:47 AM

Many reasons :

 

1. is the same IP Address range, if not you need NAT here to get internet

2. you need Access rule to allow new subnet to access internet.

3. routing required depends on network

 

This is only assumptions and suggestions. Provide more details like small network diagram and IP address information (show run from ASA)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

EmekaNwokeji1398
Level 1
Level 1

‎07-30-2021 09:50 AM

I'm sorry if I didn't put the topology and configurations The reason is because I'm working on classified projects and I'm not trying to get in trouble.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card