10-23-2012 12:02 PM - edited 03-11-2019 05:13 PM
Hello all
Trying to setup a DMZ on a ASA5505 with UL and Sec+ licenses.
inside 10.20.0.0
DC/DNS 10.20.2.1
Fileserver 10.20.2.3
DMZ 10.21.0.0
App1 10.21.2.1 - Outside 12.12.12.3
App2 10.21.2.2 - Outside 12.12.12.4
outside 12.12.12.2
My end goals are
1. Allow internet access from outside to App1 and App2 on port 80 & 443
2. Allow App1 & App2 access to DC/DNS & Fileserver server on inside interface ...No NAT
As soon as I add "access-group DMZ_TO_INSIDE in interface DMZ" I lose DNS and browsing while using 8.8.8.8 as a name server. If I use DC/DNS as a name server I can resolve internet names to IPs but not browse the internet.
Any help would be greatly appreciated
interface Ethernet0/0
description *WAN* (Physical Interface)
switchport access vlan 2
!
interface Ethernet0/1
description *LAN* (Physical Interface)
!
interface Ethernet0/2
description *DMZ* (Physical Interface)
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.1.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.224
!
interface Vlan3
nameif DMZ
security-level 50
ip address 10.21.1.1 255.255.0.0
!
boot system disk0:/asa825-33-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name pme.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WKSMITH_CRYPTO extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list WKSMITH_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list NAT0 extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list NAT0 extended permit ip any 10.20.11.0 255.255.255.0
access-list KINCEY-Split-Tunnel standard permit 10.20.0.0 255.255.0.0
access-list KINCEY-Split-Tunnel standard permit 10.10.0.0 255.255.0.0
access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain
access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool PME-NC-VPNPOOL 10.20.11.1-10.20.11.50 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NAT0
nat (inside) 1 10.20.0.0 255.255.0.0
nat (inside) 1 10.22.0.0 255.255.0.0
nat (DMZ) 1 10.21.0.0 255.255.0.0
static (inside,DMZ) 10.20.0.0 10.20.0.0 netmask 255.255.0.0
static (DMZ,inside) 10.21.0.0 10.21.0.0 netmask 255.255.0.0
access-group DMZ_TO_INSIDE in interface DMZ
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
route inside 10.22.0.0 255.255.0.0 10.20.0.1 1
Solved! Go to Solution.
10-23-2012 12:30 PM
Hello Cyber,
The first thing I got to say is that if you set that ACL only traffic from those 2 DMZ host to the internal DNS servers on UDP port 53 ( DNS) will be allowed, any other kind of traffic will be denied,
So I would say you want to be able to access from DMZ only the DNS services on the inside and full internet access but at the same time block all other traffic to inside.
For that do the following:
access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain
access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain
access-list DMZ_TO_INSIDE deny ip any 10.20.1.0 255.255.0.0
access-list DMZ_TO_INSIDE deny ip any 10.22.1.0 255.255.0.0
access-list DMZ_TO_INSIDE permit ip any any
Regards,
Remember to rate all of the helpful posts
Julio
10-23-2012 12:30 PM
Hello Cyber,
The first thing I got to say is that if you set that ACL only traffic from those 2 DMZ host to the internal DNS servers on UDP port 53 ( DNS) will be allowed, any other kind of traffic will be denied,
So I would say you want to be able to access from DMZ only the DNS services on the inside and full internet access but at the same time block all other traffic to inside.
For that do the following:
access-list DMZ_TO_INSIDE extended permit udp host App1-INT host DNS eq domain
access-list DMZ_TO_INSIDE extended permit udp host App2-INT host DNS eq domain
access-list DMZ_TO_INSIDE deny ip any 10.20.1.0 255.255.0.0
access-list DMZ_TO_INSIDE deny ip any 10.22.1.0 255.255.0.0
access-list DMZ_TO_INSIDE permit ip any any
Regards,
Remember to rate all of the helpful posts
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide