Sample ACL Inside interface to DMZ

Hi on the access-list inside-access-in  on ASA 5515

I would like to see a sample ACL/s to allow all traffic from 3 inside networks
192.168.5.x/24
192.168.11.x/24
192.168.5.x/24

allow ALL IP to the DMZ subnet  (public Ip /28   )

when I do a show nat - there is no NAT for DMZ.

We had an allow all Outgoing traffic from inside interface and we require to start tightening down. Im starting with restricting outbound to the internet. - But I want to ensure I font break access to our DMZ subnet (I know allow all to dmz is not secure and best practice) - however im doing this tightening in stages.

Thanks for help. - If I could get an an example acl/s please
LVL 1
philb19Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Thing is, the access list applied to your inside interface will affect all traffic, not just the traffic to the DMZ.  You have to allow both the DMZ and the Internet traffic.

access-list inside-out remark allow internal networks to access hosts in the DMZ
access-list inside-out extended permit ip 192.168.5.0 255.255.255.0 x.x.x.x 255.255.255.240
access-list inside-out extended permit ip 192.168.11.0 255.255.255.0 x.x.x.x 255.255.255.240
access-list inside-out extended permit ip 192.168.y.0 255.255.255.0 x.x.x.x 255.255.255.240
access-list inside-out remark block all other traffic to hosts in the DMZ
access-list inside-out extended deny ip any x.x.x.x 255.255.255.240
access-list inside-out remark allow outbound traffic
access-list inside-out permit ip any any
0
Pete LongTechnical ConsultantCommented:
What Version of ASA are you running? If its a bit older your NAT statements may need looking at.

Have a look though this

ASA 5500 Adding a DMZ Step By Step



Pete
0
philb19Author Commented:
Thanks for input all

Just on another note. - Our DMZ subnet has a public Ip range /28. Is this unusual to see in a DMZ ? Is a DMZ normally setup
with private IP range? - ie 172.16.x.x - and if so NAT comes into play? Thanks
0
asavenerCommented:
I've seen it done both ways, although a private range with PAT or NAT is more common.  One reason is that with a public range, you're forced to use one of your public IPs for the firewall's gateway.  Using NAT just gives you more flexibility.

My preferred method is to use a private IP range, and then use PAT wherever possible and NAT where necessary.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.