in other words allow only traffic to certain hosts, add x n lines for each required traffic. As there is no traslation between these two zones.
Next in acl you should deny access to your internal private range
access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
After this you should allow next
access-list dmz_access_in permit tcp 192.168.1.0 255.255.255.0 gt1023 any
(or narrow it down to tcp ports 20, 21,53, 80, 443 - make object group)
access-list dmz_access_in permit udp 192.168.1.0 255.255.255.0 gt1023 any
end acl with
deny any any log
After you apply run next
debug packet dmz src 192.168.1.x dst 95.256.125.1
debug packet outside src any dst 95.256.125.1
You should see traffic comming to asa and going out to outside world.
Address 192.168.1.x must not pass through ASA, as this traffic is must not pass.
Please give sh ver results too.
Re: allow internet in dmz question
9 years 3 months ago #31922
While I don't know enough about your architecture to be sure (are you running public services there?), the words wireless connected to DMZ made me shudder a bit.
Are you using DMZ just for the Wi-Fi in other words is it just another leg off your router/firewall? I'm asking because I'm thinking of DMZ in the classical sense, as in the segment that provides public services.
If that's the case, then think long and hard about whether you want to put that AP in the DMZ.