I have few servers placed on our DMZ, they all have static NAT, In order to access any port on the internet I need to put an ACL that allows traffic from DMZ to any. Shouldn't the DMZ by default be allowed to access the Internet, it is on higher security side.
Thanks and best regards
If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.
Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.
Another effective way of doing this is Policy NAT & Static Policy NAT.
Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.
Please visit the following URL for more info: about this