03-05-2008 08:28 AM - edited 03-11-2019 05:12 AM
Hi!
I'm abit confused and need some config help
How would you configure your PIX/ASA to let your DMZ which has a public IP-Network access to the internet without NAT'ing it through the outside interface
And without giving the DMZ access anything else (like other DMZ,internal networks etc)
Interface Outside
Public IP-Address/NW
Sec-level 0
Interface DMZ
Public IP-Address/NW
Sec-Level 20
Interface Inside
Internal IP Address/NW
Sec 100
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 0.0.0.0 0.0.0.0
static (dmz,outside) dmz_nw dmz_nw
Shouldnt this be enough to let my DMZ out and able to access the internet without using my outside interface IP
I have nat-control active also
Do I make sense?
Thanks
03-05-2008 08:47 AM
Hi,
The config you have should be enough to allow access to the internet for your DMZ hosts, provided that you do not have an acl applied to the DMZ interface.
If you do have an acl applied, you will need to modify the acl to permit the outbound traffic.
e.g:
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53
NOTE: If you want to restrict access from the DMZ to your internal network on the ports mentioned above (you may have noticed the 'any' keyword used as the destination), then you need to add the following to your acl BEFORE the above mentioned lines:
e.g:
access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK
COMMAND SUMMARY:
access-list acl_dmz deny ip DMZ_NET DMZ_MASK INT_NET INT_MASK
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 80
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK any eq 443
access-list acl_dmz permit tcp DMZ_NET DMZ_MASK host DNS_SERVER eq 53
NOTES ON NATTING ON ASA:
Try to remember this: 'statics' override 'nats' for outbound connectivity, unless you specify a 'nat 0'.
In your case you have a static and a nat that covers the DMZ hosts, and taking the above into account, the NAT 0 statement will be used for the outbound connections.
Hope this helps!
03-06-2008 02:42 AM
Hi!
Brettilborrow:
I have an ACL on my DMZ, so I solved the problem then by doing just as you described it.
I was hoping tho that there was a better way then having to implent an "deny ip
But regarding the ACL, im going from an higher sec-level and towards an lower interface when going "outside" arent I? my DMZ hosts should only get an denied when encountering my other higher sec-level DMZ/inside interface.
Thanks, appreciate the help!
03-05-2008 01:52 PM
nat (dmz) 0 0.0.0.0 0.0.0.0
will allow DMZ to access Internal networks as well. Delete it, and you should be ok.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide