Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
3
Replies

Lock down DMZ - Need assistance

Jason Flory
Level 1
Level 1

‎12-08-2015 11:30 PM - edited ‎03-12-2019 12:01 AM

Hello Everyone

I am trying to lock down our DMZ a little better while allowing DMZ hosts to have internet access.   My goal is to allow hosts to access internet using our core outbound service group which is a small collection of protocols.  I want inside hosts to be able to access DMZ hosts but do not want to have DMZ hosts accessing inside hosts unless explicitly allowed.   So far i have denied all access to internal hosts and allowed access to internet with the core services group but the problem is that the DMZ hosts also access the internal network with the core services group.  

See below

access-list dmz_access extended permit icmp any4 any4 ------------(inside and outside access which is what we want)
access-list dmz_access extended permit udp any4 any4 eq domain ---------------(inside and outside access which is what we want)
access-list dmz_access extended permit object-group obj_Core_outbound any4 any4 (this one allows access to internet as desired but also allows access to inside network which we do not want)
access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 -----------------(have a feeling this is not needed but keep this to ensure the last rule will deny inside traffic)

Is there a way to define public internet which would exclude the inside network?   

Then I could allow core_outbound to the internet only.

Any help much appreciated

Labels:
0 Helpful
3 Replies 3

Shivapramod M
Level 1
Level 1

‎12-08-2015 11:53 PM

Hi Jason,

Can you move the deny ACL which denies the access to the inside subnet in the top so that the ASA will match the destination IP and blocks the traffic to inside subnet only. If you have some permitted interface from DMZ to inside then create ACL and keep above the deny.

Since you have the allow policy in the top it is taking that and forwarding the traffic to inside.

So the rule order must be

-Allow ACL from DMZ to inside (Specific).

-Deny ACL with the destaintion as 10.0.0.0/8

-Create ACL for internet traffic with the source and destiantion as any

This should resolve your issue.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Jason Flory
Level 1
Level 1
In response to Shivapramod M

‎12-14-2015 03:14 PM

Thank you

That was it.  Appreciate the help

0 Helpful

Shivapramod M
Level 1
Level 1
In response to Jason Flory

‎12-14-2015 05:14 PM

Hi Jason,

You are welcome 

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card