ASA DMZ Access

Answered Question
Jan 9th, 2009
User Badges:


I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?

Would you have to create the ACL to say deny SMTP Server using TCP 25 to etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?

So how would you configure something like this? Hope this makes sense.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)


On the ASA,

Outside Interface Security Level 0

Inside Interface security level 100

The above are defaults and cannot be changed.

The rule is this:-

Traffic from an interface with a higher security level can pass to a an interface with a lower security level by default - no acl required.

Traffic from an interface with a lower security level cannot pass to an interface with a higher security level without an acl that permits the traffic.

If you have a DMZ - the security level cannot be set higher than the inside or lower than the outside.


mike_guy29 Fri, 01/09/2009 - 02:33
User Badges:


Thanks for your reply. I was aware of those points already but its appreciated. To be honest I think I answered my own question I was just having a stupid moment! I would just need to stick the deny statements then the permit all. Just wondered about other ways and best practices etc.


mike_guy29 Fri, 01/09/2009 - 02:44
User Badges:

Hi sorry not the best wording. For example you have an SMTP relay in the DMZ. Needs to be able to get anywhere on the Internet and to one host internally. I meant you would just have to configure it as

access-list dmz-in extended permit tcp host x.x.x.x host y.y.y.y eq 25

access-list dmz-in extended deny ip host x.x.x.x y.y.y.y

access-list dmz-in extended permit tcp host x.x.x.x any eq 25

The deny all wouldn't have helped protect internal networks if you use a permit any tcp 25.

As I say I wouldn't worry! I was having a dumb moment


This Discussion