ASA 5510 Access Rules 1

[gb0mb]

Hello all,

I am looking for a way to have a DMZ allow traffic to all without giving it access to the internal network.

Currently I have a mail server in the DMZ, with the rule:

Mail Server --> ANY

This allows the mail server to connect into my internal network also.

What I am looking for is a rule to:

Mail Server --> Any (that goes out the outside interface)

I was thinking a rule with:
Mail Server --> Outside Interface

Any help would be appreciated.

Thanks

Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo

 

[unclerico]

object-group network RFC_1918_ADDYS
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0

access-list dmz_access_in deny ip host mailserver object-group RFC_1918_ADDYS
access-list dmz_access_in permit ip any any

access-group dmz_access_in in interface dmz

This will deny all traffic from your mailserver to any other RFC 1918 address but permit it to go to any publicly routable address. You may want to adjust the first ACE to be deny ip any object-group RFC_1918_ADDYS so that it restricts all DMZ hosts from contacting your internal network(s)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[gb0mb]

Thanks for the reply.

Since I had posted your solution was the only solution I could think of.

I assume if I had used an access list:

access-list dmz_access_in permit ip any Outside_Int

it would only allow traffic to the interface IP.

I appreciate you quick accurate response,

Thanks

G

Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo