cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
0
Helpful
3
Replies

Lock down DMZ - Need assistance

Jason Flory
Level 1
Level 1

Hello Everyone

I am trying to lock down our DMZ a little better while allowing DMZ hosts to have internet access.   My goal is to allow hosts to access internet using our core outbound service group which is a small collection of protocols.  I want inside hosts to be able to access DMZ hosts but do not want to have DMZ hosts accessing inside hosts unless explicitly allowed.   So far i have denied all access to internal hosts and allowed access to internet with the core services group but the problem is that the DMZ hosts also access the internal network with the core services group.  

See below

access-list dmz_access extended permit icmp any4 any4 ------------(inside and outside access which is what we want)
access-list dmz_access extended permit udp any4 any4 eq domain ---------------(inside and outside access which is what we want)
access-list dmz_access extended permit object-group obj_Core_outbound any4 any4 (this one allows access to internet as desired but also allows access to inside network which we do not want)
access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 -----------------(have a feeling this is not needed but keep this to ensure the last rule will deny inside traffic)

Is there a way to define public internet which would exclude the inside network?   

Then I could allow core_outbound to the internet only.

Any help much appreciated

3 Replies 3

Shivapramod M
Level 1
Level 1

Hi Jason,

Can you move the deny ACL which denies the access to the inside subnet in the top so that the ASA will match the destination IP and blocks the traffic to inside subnet only. If you have some permitted interface from DMZ to inside then create ACL and keep above the deny.

Since you have the allow policy in the top it is taking that and forwarding the traffic to inside.

So the rule order must be

-Allow ACL from DMZ to inside (Specific).

-Deny ACL with the destaintion as 10.0.0.0/8

-Create ACL for internet traffic with the source and destiantion as any

This should resolve your issue.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Thank you

That was it.  Appreciate the help

Hi Jason,

You are welcome 

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Review Cisco Networking for a $25 gift card