01-09-2009 01:51 AM - edited 03-11-2019 07:34 AM
Hi,
I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?
Would you have to create the ACL to say deny SMTP Server using TCP 25 to 192.168.0.0 etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?
So how would you configure something like this? Hope this makes sense.
Thanks
Solved! Go to Solution.
01-09-2009 02:37 AM
Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???
Rememeber as the end of an acl is a default deny all??????
01-09-2009 02:29 AM
Mike,
On the ASA,
Outside Interface Security Level 0
Inside Interface security level 100
The above are defaults and cannot be changed.
The rule is this:-
Traffic from an interface with a higher security level can pass to a an interface with a lower security level by default - no acl required.
Traffic from an interface with a lower security level cannot pass to an interface with a higher security level without an acl that permits the traffic.
If you have a DMZ - the security level cannot be set higher than the inside or lower than the outside.
HTH>
01-09-2009 02:33 AM
Hi,
Thanks for your reply. I was aware of those points already but its appreciated. To be honest I think I answered my own question I was just having a stupid moment! I would just need to stick the deny statements then the permit all. Just wondered about other ways and best practices etc.
Thanks
01-09-2009 02:37 AM
Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???
Rememeber as the end of an acl is a default deny all??????
01-09-2009 02:44 AM
Hi sorry not the best wording. For example you have an SMTP relay in the DMZ. Needs to be able to get anywhere on the Internet and to one host internally. I meant you would just have to configure it as
access-list dmz-in extended permit tcp host x.x.x.x host y.y.y.y eq 25
access-list dmz-in extended deny ip host x.x.x.x y.y.y.y 255.255.255.0
access-list dmz-in extended permit tcp host x.x.x.x any eq 25
The deny all wouldn't have helped protect internal networks if you use a permit any tcp 25.
As I say I wouldn't worry! I was having a dumb moment
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: