Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
3
Replies

Unexpected access through ACL

Go to solution
blueoceanventure
Level 1
Level 1

‎01-08-2009 06:45 AM - edited ‎03-11-2019 07:34 AM

Hi,

I'm having a problem that I can't figure out.

To outline a simple setup of our configuration i looks like this:

inside (sec. level 100)

outside (sec. level 0)

dmz (sec. level 20)

Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.

The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?

Maybe it has something to do with the nat excemt, or it might just be default behaviour?

Thanks in advance,

Rasmus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-08-2009 06:59 AM

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-08-2009 06:59 AM

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

0 Helpful

Go to solution
blueoceanventure
Level 1
Level 1
In response to Jon Marshall

‎01-09-2009 03:29 AM

Hi Jon,

Thanks for your reply.

OK. I just thought that "any-traffic" from a lower sec. to a higher. didn't get through.

I will follow your advice number 2.

Thanks again.

Rasmus

0 Helpful

Go to solution
marcelnjkoks
Level 1
Level 1
In response to blueoceanventure

‎01-12-2009 01:52 AM

That is exactly what the access list does. Traffic from lower to higher will no flow automatically, you'll need an ACL.

Without ACL, traffic from high to low works (might need NAT), from low to high is blocked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card