Accessing the Internet from DMZ for HTML Client

[marcoR]

Hi,
I have an ASA5510 and need to open Internet Access for the HTML clients in the DMZ (to consume WebServices).
I recently migrated my Internet Connection from one ISP to another, and this feature ceased to work.
I have working rules to access DMZ from the "Outside" and from "Inside" already.

Thanks in advance for your invaluable help.
Marco

 

[Supergrrover]

Can you post your scrubbed config?
Show run
And mask the middle 2 octets of public ips and all passwords

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[marcoR]

Thanks
The IP addresses are not the real ones, and the passwords have been removed also.
the configuration file is included, do you need another type of file?

Thanks in advance for your invaluable help.
Marco

 

[Supergrrover]

Delete these (they either don't work as you think or just don't work)
route Inside 0.0.0.0 0.0.0.0 10.1.100.235 1
route DMZ WS001b 255.255.255.255 10.1.100.235 1
route Outside_2 0.0.0.0 0.0.0.0 201.161.171.1 10
access-group DMZ_access_in in interface DMZ
nat (Inside) 0 192.168.55.0 255.255.255.0
nat (Inside) 0 10.1.100.0 255.255.255.0

The italic line basically allows all traffic, so this ACL is effectively non existent.
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.120
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.201
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.210
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.127
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.128
access-list DMZ_access_in extended permit ip host WS001a host 192.168.55.240
access-list DMZ_access_in extended permit ip host WS001a any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip 10.1.100.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host WebServer host 192.168.55.202

The only thing that goes to the internet is the DMZ network
global (Outside) 2 interface
nat (DMZ) 2 10.1.100.0 255.255.255.0

I'm not sure of what the desired functionality is...

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[marcoR]

Thanks,
Yes, the only traffic allowed to the Internet is from/to DMZ.
The PC's on the INSIDE have their own Internet connection, and they "cross the ASA only to gain access to the Servers in the DMZ.
The problem I have is that the Servers on the DMZ can't "see" the Internet, and can't access any host in the public network, but the can be accessed from the Internet (HTTP and HTTPS)

Thanks in advance for your invaluable help.
Marco

 

[marcoR]

There are some "privileged" computers that can access "almost everything2 on the servers on the DMZ, but not everyone, so, the rule:
access-list DMZ_access_in extended permit ip any any
I think should be deleted because only the
192.168.55.120
192.168.55.201
192.168.55.210
192.168.55.127
192.168.55.128
192.168.55.240
may access the servers in an "extended" manner:
-Maybe the rules should be modified so the specified PC can access every Server on the DMZ.
Additionally, the DMZ should access the Internet to consume "Web Services" and other sevices.


Thanks in advance for your invaluable help.
Marco

 

[marcoR]

Well done!
I have deleted the "routes" you suggested and the servers have now access to the Internet.
Now I need to adjust the security between the INSIDE and the DMZ.
What do you recommend?

Thanks in advance for your invaluable help.
Marco

 

[Supergrrover]

It really depends on your goals and design. What do you want the security adjusted to do?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[marcoR]

I need to be able, with any of the servers in the DMZ, to:
- connect to remote desktop
- transfer files using FTP
from the SPECIFIED ip addresses into the INSIDE
HTTP and HTTPS is permitted between ANY pc in the INSIDE and ANY Server in the DMZ
Any other traffic is not permitted


Thanks in advance for your invaluable help.
Marco