Cisco ASA - DMZ access outside

Hal Sclater · ‎11-16-2012

Hi I need some help here I have an ASA 5505 with the security bundle, latest ASA software 9.0(1).

I have 3 DMZs. I initially allowed them access to the internet using e.g.:

object network obj_dmz1

subnet 192.168.1.0 255.255.255.0

nat (dmz1,outside) dynamic interface

This was fine, except when I then created a rule to allow the DMZ to the internal network on one IP and port, they could no longer access the outside network at all.

I can add an access rule to allow access to any, but that is hardly what I want - that gives full access to the internal network.

I presume the issue is because the implicit rule allowing any to a less secure network no longer applies now that I have created a NAT rule. So, how can I allow the hosts in the DMZ to access the internet again?

Thanks

Marvin Rhoads · ‎11-16-2012

Before the "permit any" you mentioned, add a "Deny all RFC 1918" (after the permit you already mentioned).

Karsten I. has a nice post here that explains this approach in more detail.

Hal Sclater · ‎11-17-2012

Thanks, that is exactly what I needed.

I eneded up with this, which lets the DMZHOST get to anywhere apart from the internal subnets:

access-list dmz2_access_in extended permit tcp object DMZHOST object MAILSERVER eq smtp

access-list dmz2_access_in extended deny ip any object-group RFC1918

access-list dmz2_access_in extended permit ip object DMZHOST object obj_any

Works a treat, now the DMZHOST can access the Mailserver but nothing else internally, and go wherever it wants outside.

Thanks.