cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
0
Helpful
1
Replies

DMZ access to inside and internet

Cybervex3
Level 1
Level 1

Hello all

Trying to setup a DMZ on a ASA5505 with UL and Sec+ licenses.

inside 10.20.0.0

     DC/DNS 10.20.2.1

     Fileserver 10.20.2.3

DMZ   10.21.0.0

     App1 10.21.2.1 - Outside 12.12.12.3

     App2 10.21.2.2 - Outside 12.12.12.4

outside 12.12.12.2

My end goals are

1. Allow internet access from outside to App1 and App2 on port 80 & 443

2. Allow App1 & App2 access to DC/DNS & Fileserver server on inside interface ...No NAT

As soon as I add "access-group DMZ_TO_INSIDE in interface DMZ"  I lose DNS and browsing while using 8.8.8.8 as a name server. If I use DC/DNS as a name server I can resolve internet names to IPs but not browse the internet.

Any help would be greatly appreciated

interface Ethernet0/0

description *WAN* (Physical Interface)

switchport access vlan 2

!

interface Ethernet0/1

description  *LAN* (Physical Interface)

!

interface Ethernet0/2

description *DMZ* (Physical Interface)

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport trunk allowed vlan 1,3

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 10.20.1.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 12.12.12.2 255.255.255.224

!

interface Vlan3

nameif DMZ

security-level 50

ip address 10.21.1.1 255.255.0.0

!

boot system disk0:/asa825-33-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name pme.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list WKSMITH_CRYPTO extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list WKSMITH_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list NAT0 extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NAT0 extended permit ip any 10.20.11.0 255.255.255.0

access-list KINCEY-Split-Tunnel standard permit 10.20.0.0 255.255.0.0

access-list KINCEY-Split-Tunnel standard permit 10.10.0.0 255.255.0.0

access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain

access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain

pager lines 24

logging enable

logging console informational

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool PME-NC-VPNPOOL 10.20.11.1-10.20.11.50 mask 255.255.0.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NAT0

nat (inside) 1 10.20.0.0 255.255.0.0

nat (inside) 1 10.22.0.0 255.255.0.0

nat (DMZ) 1 10.21.0.0 255.255.0.0

static (inside,DMZ) 10.20.0.0 10.20.0.0 netmask 255.255.0.0

static (DMZ,inside) 10.21.0.0 10.21.0.0 netmask 255.255.0.0

access-group DMZ_TO_INSIDE in interface DMZ

route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

route inside 10.22.0.0 255.255.0.0 10.20.0.1 1

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Cyber,

The first thing I got to say is that if you set that ACL only traffic from those 2 DMZ host to the internal DNS servers on UDP port 53 ( DNS) will be allowed, any other kind of traffic will be denied,

So I would say you want to be able to access from DMZ only the DNS services on the inside and full internet access but at the same time block all other traffic to inside.

For that do the following:

access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain

access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain

access-list DMZ_TO_INSIDE  deny ip any 10.20.1.0 255.255.0.0

access-list DMZ_TO_INSIDE  deny ip any 10.22.1.0 255.255.0.0

access-list DMZ_TO_INSIDE permit ip any any

Regards,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Cyber,

The first thing I got to say is that if you set that ACL only traffic from those 2 DMZ host to the internal DNS servers on UDP port 53 ( DNS) will be allowed, any other kind of traffic will be denied,

So I would say you want to be able to access from DMZ only the DNS services on the inside and full internet access but at the same time block all other traffic to inside.

For that do the following:

access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain

access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain

access-list DMZ_TO_INSIDE  deny ip any 10.20.1.0 255.255.0.0

access-list DMZ_TO_INSIDE  deny ip any 10.22.1.0 255.255.0.0

access-list DMZ_TO_INSIDE permit ip any any

Regards,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card