Cisco ASA 5520 ACL config

Unanswered Question
Feb 14th, 2007

Hello. We have 2 cisco 5520's that we are going to replace our PIx 515's. We are running the boxes in routed single context mode in an active/standby failover. The we have four interfaces, outside security 0, inside security 100, dmz security 50, and management security 100.

So far I have configured dynamic NAT for the inside and Management interfaces(we will have some hosts on this subnet). What I want to do next is configure the ACL's, and im very confused on how to go about it. We want to permit HTTPS, FTP, POP3, SMTP, and WWW to come into the network from the outside. I do have some static NAT's configured for each of these protocols. I will be translating them to be on an IP address inside the DMZ of course.

Am i correct in assuming i need to apply inbound access lists on the outside interface permitting https, www, ftp, pop3, smtp, and www? If so, what do i configure next to allow this protocol specific traffic to enter the dmz interface and talk to the servers?

Also, for hosts on the inside, and Management interfaces, Since their security is at 100, they should be able to access the outside to get to the internet by default correct? Or do i need to specificly allow that as well with an acl?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
2plaidlaw Wed, 02/14/2007 - 15:03


If you are just wanting to allow traffic initiated from outside into your DMZ for HTTP FTP....etc, and not allow your servers in your DMZ to iniate traffic to anything then you'll apply an ACL on your outside interface allowing that traffic in. You would then apply an ACL on your DMZ interface that deny's all traffic.


access-list outside_in extended permit any host x.x.x.x eq http

access-list outside_in extended permit any host x.x.x.x eq smtp

access-list outside_in extended permit any host x.x.x.x eq etc

!apply this acl now to the outside

access-group outside_in in interface outside

!now create your deny acl

access-list deny-all extended deny ip any any

!apply this acl to the DMZ interface

access-group deny-all in interface DMZ

Now the reason this works is because the firewall is stateful and it acts like a reflexive access-list which when traffic is allowed in to the outside interface and dropped onto the DMZ state is recorded for that session so that when return traffic is seen it is allowed out.


Patrick Laidlaw


This Discussion