Hi,

Thanks for the reply.

3 - If I apply an access list to the dmz interface what do I need to have? I tried this allowing accesslist to dmz for 25 and 1433 but this just stopped internet access by blocking dns etc

4 - I made a mistake the statics should be the same sorry.

I think the problem I am seeing is that im not sure how to setup the access from dmz to inside. If create statics for the internal server ip to the dmz server ip for the two ports then create an acl that allows just those ports then this acl blocks the traffic to the internet. How do I set this up?

thanks again

Andy

yes Andy, sorry I missed that. I think you have to add a new line to access-list dmz_inside. Because of the implicit deny statement at the end of the access-list your web server can't access to outside. So, if you append a statement that permits your webserver to outside, it will be ok.

can you try and let me know?

I think he is right. You will have to include the line in your outside_dmz access list in your dmz_inside access list, then apply the dmz_inside access list to your DMZ interface. Remember the name 'dmz_inside' is *only* a name, it's not instructing the access-list to only perform functions going to the inside from the dmz, it applies it to the entire interface regardless of where the traffic goes to. Also remember you dont need anything permitting access from the inside to the dmz because higher to lower communication is permitted, and the inside is "higher" than the dmz interface, but you do need to allow the dmz through to the inside. Sometimes it gets to be a pain to make sure you have multiple acl's correctly entered. You can always just use a conduit command to allow specific traffic from the dmz to the inside, that's what I do when I have very long acl's and acl's on multiple interfaces...even though I think Cisco doesnt recommend that you use conduits and acl's together it works for me, and I know a lot of engineers who do the same. Hope that helps.

Hi,

I have changed by config as below. Im not sure on setting up conduits so would prefer acl's. Even with whats below I still get deny messages when trying to access the internet from the dmz when the dmz_int acl is applied. I thought a higher (dmz) to lower (outside) was allowed anyway? I think most of it is correct but I can't reason why I get the deny statements now.

Thanks for your help guys I appreciate it.

Andy

hostname firewall

domain-name domain.local

nameif e0 outside sec0

nameif e1 inside sec100

nameif e2 dmz sec50

int e0 100full

int e1 100baset

int e2 100full

ip address inside 10.171.92.5 255.255.255.0

ip address outside x.x.x.1 255.255.255.252

ip address dmz 192.168.200.1 255.255.255.252

route outside 0 0 x.x.x.2 1

nat (dmz) 1 192.168.200.2 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 2 10.171.92.3 255.255.255.255

global (dmz) 2 interface

static (dmz,outside) tcp x.x.x.1 www 192.168.200.2 www netmask 255.255.255.255

access-list outside_int permit tcp any host x.x.x.1 eq www

access-group outside_int in interface outside

static (inside,dmz) tcp 192.168.200.2 25 10.171.92.3 25 netmask 255.255.255.255

static (inside,dmz) tcp 192.168.200.2 1433 10.171.92.3 1433 netmask 255.255.255.255

access-list dmz_int permit tcp host 192.168.200.2 host 10.171.92.3 eq smtp

access-list dmz_int permit tcp host 192.168.200.2 host 10.171.92.3 eq 1433

access-list dmz_int permit tcp interface dmz interface outside

access-list dmz_int permit udp interface dmz interface outside

access-group dmz_int in interface dmz

I have got it sorted. In the end I spoke to TAC and I realise now where I was going wrong.

I didn't understand that I needed to allow the server in the dmz an acl so it would access the dmz interface then the statics would take over.

Thanks for your time again

Andy