Unexpected access through ACL

Answered Question
Jan 8th, 2009

Hi,

I'm having a problem that I can't figure out.

To outline a simple setup of our configuration i looks like this:

inside (sec. level 100)

outside (sec. level 0)

dmz (sec. level 20)

Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.

The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?

Maybe it has something to do with the nat excemt, or it might just be default behaviour?

Thanks in advance,

Rasmus

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 1 week ago

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 01/08/2009 - 06:59

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

blueoceanventure Fri, 01/09/2009 - 03:29

Hi Jon,

Thanks for your reply.

OK. I just thought that "any-traffic" from a lower sec. to a higher. didn't get through.

I will follow your advice number 2.

Thanks again.

Rasmus

marcelnjkoks Mon, 01/12/2009 - 01:52

That is exactly what the access list does. Traffic from lower to higher will no flow automatically, you'll need an ACL.

Without ACL, traffic from high to low works (might need NAT), from low to high is blocked.

Actions

This Discussion