Link to home
Start Free TrialLog in
Avatar of zoojames
zoojamesFlag for United States of America

asked on

Cisco ASA 5510 DMZ needs access to outside

I am trying to allow access to the internet from my dmz.  The postings I have read on this site specify setting up a NAT. Since my firewall is live and I do not want to loose my job, would the following NAT break anything given the current NAT setup on my ASA 5510....

CURRENT....
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.20.30.0 255.255.255.0
nat (ids) 1 172.16.0.0 255.255.0.0

WOULD LIKE TO ADD...

nat (dmz) 1 192.168.50.0 255.255.255.0

Will this break anything? Is this necessary to allow internet access from dmz? I have a VPN router in the dmz that needs to talk to another vpn router in another location.
Avatar of Brian Garcia
Brian Garcia
Flag of Philippines image

what do you want to accomplish? do you just need an internet access for the DMZ? Can you paste the whole configuration?

Adding NAT for DMZ could have an effect on the traffic flow for the DMZ network.
Avatar of fgasimzade
Adding this command will not do any harm, but is it really what you need?
Avatar of zoojames

ASKER

well this is what I have setup, just not sure if it will work. I assume some level of outbound access from the dmz to the cloud is needed for the csico 2900 vpn router (sitting in the dmz) to create an  ipsec tunnel another 2900 elsewhere in the internet......

static (dmz,outside) 64.X.X.240 192.168.50.2 netmask 255.255.255.255

I have no problem keeping outbound from dmz locked, but i don't see how anything can communicate out.
ASKER CERTIFIED SOLUTION
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I got the result I was looking for with the confirmation from fgasimzade, however I should consider keeping the outbound dmz traffic locked down to minimum.