DMZ access

Answered Question
Jan 24th, 2008
User Badges:

I'm new to setting up firewalls and I have a new ASA 5510 that I'm configuring. The way I understand security levels, inside interface traffic should be able to access DMZ resources because the DMZ interface has a lower security level. However I believe I need to add an access-list so the DMZ traffic can pass to inside interface resources. Is that correct?


If my assumptions are correct I have two additional questions:


1. I have a web server in my DMZ and some of the websites need to access server resources on the inside (specifically SQL DBs in most cases). Would the following command work for a website at 192.168.0.37 to access a SQL DB at 192.168.200.5?

DMZ - 192.168.0.0/24

Inside - 192.168.200.0/21


access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet


2. I need to be able to remote control the web server through RDC for administration from the inside. Would the following work?


access-list dmz extended permit tcp host 192.168.0.25 any eq 3389

Correct Answer by acomiskey about 9 years 5 months ago

No problem.


"I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ"


-Yes, until you add an access-list into the dmz interface. Once you add the acl there is always an explicit "deny ip any any" at the end of the acl. So you acl really looks like this...


access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended deny ip any any


Therefore you need to add the "permit ip any any" before the explicit deny.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Thu, 01/24/2008 - 12:23
User Badges:
  • Green, 3000 points or more

"However I believe I need to add an access-list so the DMZ traffic can pass to inside interface resources. Is that correct?"


-Yes.


"Would the following command work for a website at 192.168.0.37 to access a SQL DB at 192.168.200.5?


access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet "


-Yes. But you would also want to add this...


access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended permit ip any any


"I need to be able to remote control the web server through RDC for administration from the inside. Would the following work?


access-list dmz extended permit tcp host 192.168.0.25 any eq 3389 "


-You would not need to specify this traffic in the acl as the traffic is initiating from the inside(if I understood you correctly).


Also, for the networks on the inside which will need to have access to the dmz, you want to add a static like so...


static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0


qbakies11 Fri, 01/25/2008 - 06:03
User Badges:

"access-list dmz extended deny ip any 192.168.200.0 255.255.255.0"


- Will this prevent all traffic from the DMZ to the inside except for the specific entries listed above it (i.e. the SQLnet ACE)?


"access-list dmz extended permit ip any any"


- I'm not sure what the purpose of this ACE is. Wouldn't it allow traffic from anywhere except the 200.0 subnet into the inside?


"You would not need to specify this traffic in the acl as the traffic is initiating from the inside(if I understood you correctly)."


- So, if I initiate traffic from the inside to the DMZ, response traffic back to the inside will be allowed regardless?


acomiskey Fri, 01/25/2008 - 06:08
User Badges:
  • Green, 3000 points or more

"I'm not sure what the purpose of this ACE is. Wouldn't it allow traffic from anywhere except the 200.0 subnet into the inside?"


-Once you have allowed what you want from dmz to inside, then denied all other from dmz to inside, you must add the permit ip any any if you want the dmz to be able to go outside as well. Remember, this acl is applied into the dmz interface, it not only inspects traffic from dmz to inside, but dmz to anywhere. If you didn't add this, the machines on the dmz would not be able to access the internet.


"So, if I initiate traffic from the inside to the DMZ, response traffic back to the inside will be allowed regardless?"


-Yes, that's the whole point of a stateful firewall.

qbakies11 Fri, 01/25/2008 - 06:15
User Badges:

First, thank you for all your help and you can be sure I will be rating your comments on this topic.


I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ -> inside example? Then you wouldn't need the ACE that allows any IP.

Correct Answer
acomiskey Fri, 01/25/2008 - 06:25
User Badges:
  • Green, 3000 points or more

No problem.


"I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ"


-Yes, until you add an access-list into the dmz interface. Once you add the acl there is always an explicit "deny ip any any" at the end of the acl. So you acl really looks like this...


access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended deny ip any any


Therefore you need to add the "permit ip any any" before the explicit deny.

Actions

This Discussion