Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
3
Helpful
4
Replies

ASA DMZ Access

Go to solution
mike_guy29
Level 1
Level 1

‎01-09-2009 01:51 AM - edited ‎03-11-2019 07:34 AM

Hi,

I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?

Would you have to create the ACL to say deny SMTP Server using TCP 25 to 192.168.0.0 etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?

So how would you configure something like this? Hope this makes sense.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to mike_guy29

‎01-09-2009 02:37 AM

Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???

Rememeber as the end of an acl is a default deny all??????

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andrew.prince
Level 10
Level 10

‎01-09-2009 02:29 AM

Mike,

On the ASA,

Outside Interface Security Level 0

Inside Interface security level 100

The above are defaults and cannot be changed.

The rule is this:-

Traffic from an interface with a higher security level can pass to a an interface with a lower security level by default - no acl required.

Traffic from an interface with a lower security level cannot pass to an interface with a higher security level without an acl that permits the traffic.

If you have a DMZ - the security level cannot be set higher than the inside or lower than the outside.

HTH>

Go to solution
mike_guy29
Level 1
Level 1
In response to andrew.prince

‎01-09-2009 02:33 AM

Hi,

Thanks for your reply. I was aware of those points already but its appreciated. To be honest I think I answered my own question I was just having a stupid moment! I would just need to stick the deny statements then the permit all. Just wondered about other ways and best practices etc.

Thanks

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to mike_guy29

‎01-09-2009 02:37 AM

Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???

Rememeber as the end of an acl is a default deny all??????

0 Helpful

Go to solution
mike_guy29
Level 1
Level 1
In response to andrew.prince

‎01-09-2009 02:44 AM

Hi sorry not the best wording. For example you have an SMTP relay in the DMZ. Needs to be able to get anywhere on the Internet and to one host internally. I meant you would just have to configure it as

access-list dmz-in extended permit tcp host x.x.x.x host y.y.y.y eq 25

access-list dmz-in extended deny ip host x.x.x.x y.y.y.y 255.255.255.0

access-list dmz-in extended permit tcp host x.x.x.x any eq 25

The deny all wouldn't have helped protect internal networks if you use a permit any tcp 25.

As I say I wouldn't worry! I was having a dumb moment

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card