Not working from Inside to DMZ after configuring the ACL.

Answered Question
Mar 14th, 2007

Hi,

As per the concept of ASA, trafuc from inside (Sec 100) to DMZ ( Sec 50) is allowed by default. When I try write some acl (Host to Host block) on the Inside Interface, No other traffic is flowing to and from the Inside Interface.

Everything is blocked. Previously no ACL has been mapped to the Inside Interface.

Kindly help me to resolve this Issue and also provide the document for behaviour of Firewall before and after configuring the ACL.

I have this problem too.
0 votes
Correct Answer by greivin.viquez about 9 years 8 months ago

You are right in terms of the default behave of the ASA as long as there is no ACL on the inside interface, however once there is an ACL this will filter any outgoing traffic. So, if you do not have ACL applied on the inside interface all the traffic will be permitted from a High (100) inteface to a low (50) interface BUT if there is an ACL this will filter ALL the traffic, whatever the values are.....The ACL you create for the inside inteface must permit all the outgoing traffic not only for the internet (outside interface) but also for the DMZ.

Regards,

Correct Answer by acomiskey about 9 years 8 months ago

Post the acl you entered. Remember, there is an explicit deny any any at the end of the acl. So if you only want to prevent access to some dmz machine, then it has to be written properly. Allow what you want to allow to dmz, deny everything else to dmz, then allow everything else.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
suschoud Wed, 03/14/2007 - 08:30

Hi Abdul,

yes,by default ,traffic is allowed from higher sec. zone to the lower one.

But that is when you do not have any access-list on the higher sec. interface.

If you have even a single access-list on the higher sec, interface,then you need to specify all the traffic which you want to allow in the access-lists.

the reason:

there's an implicit deny at the end of the access-list which by default denies the traffic not allowed in the access-list statements above it.

So,either do not put any access-list on the inside interface and everything will be permitted.

if you put even a single statement on the inside interface,the plz specify all the traffic you want to permit and the rest will be denied by the implicit deny at the end.

otherewise,you can deny all the traffic initially and then put a pemrit ip any any in the end .

Hope this helps!!

Sushil

Cisco TAC.

Correct Answer
acomiskey Wed, 03/14/2007 - 08:30

Post the acl you entered. Remember, there is an explicit deny any any at the end of the acl. So if you only want to prevent access to some dmz machine, then it has to be written properly. Allow what you want to allow to dmz, deny everything else to dmz, then allow everything else.

Correct Answer
greivin.viquez Wed, 03/14/2007 - 11:48

You are right in terms of the default behave of the ASA as long as there is no ACL on the inside interface, however once there is an ACL this will filter any outgoing traffic. So, if you do not have ACL applied on the inside interface all the traffic will be permitted from a High (100) inteface to a low (50) interface BUT if there is an ACL this will filter ALL the traffic, whatever the values are.....The ACL you create for the inside inteface must permit all the outgoing traffic not only for the internet (outside interface) but also for the DMZ.

Regards,

jahangeer_abdul Wed, 03/14/2007 - 23:28

I have Addedd the following lines on my PIX Firewall.

access-list inside_acl permit icmp any any

access-list inside_acl permit tcp host 172.30.2.184 any eq telnet log

access-list inside_acl deny udp host 172.30.2.88 any eq 135 log

access-list inside_acl deny tcp host 172.30.2.88 any eq 135 log

access-list inside_acl deny udp host 172.30.2.88 any eq 139 log

access-list inside_acl deny tcp host 172.30.2.88 any eq netbios-ssn log

access-group inside_acl in interface inside

(above lines are revoked from the Firewall)

After binding the Lines, every communication from IN to OUT is blocked.

kindly help me to re-solve the Issue and also also find the atachments for more details.

Regards,

Jahangeer A

acomiskey Thu, 03/15/2007 - 05:45

Take a look at my first post again. There is an explicit or "hidden" entry that is always the last line in your access-list. It is "deny ip any any". This is blocking everything you have not specifically permitted, like icmp and telnet. If all you want to do is deny what you have in your access-list, add this line to the end of your list.

access-list inside_acl permit ip any any

Actions

This Discussion