DMZ to access internet

Answered Question
Jan 20th, 2009

Hello,

I have few servers placed on our DMZ, they all have static NAT, In order to access any port on the internet I need to put an ACL that allows traffic from DMZ to any. Shouldn't the DMZ by default be allowed to access the Internet, it is on higher security side.

Thanks and best regards

WO

I have this problem too.
0 votes
Correct Answer by Jithesh K Joy about 7 years 10 months ago

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Wajma_2 Tue, 01/20/2009 - 16:18

I forgot to mention the firewall is ASA 5520 version 7.0.

Jithesh K Joy Tue, 01/20/2009 - 20:21

Hi Wajma,

You are correct. By default, any higher security level interface will be able to access the lower security level interface in ASA.

But when you apply any access-list(either permitt or deny ) to DMZ interface ,all other traffic will be blocked from DMZ zone because ASA adds 'deny ip any any' at the end of the access-list automatically. So all other traffic wii be denied except the ones which are implictly permitted.

1) All internet traffic will be permitted from DMZ if u do n't apply any access-list to DMZ

2) If you apply any access-list you need to specify all the allowed traffic from DMZ. All others will be dropped which are not permitted explictly. Remember 'deny ip any any' will be added automatically at the end of the access-list

Regards

Jithesh

Wajma_2 Wed, 01/21/2009 - 08:51

Hi Jithesh,

Thank you for your response, now when I allow http to any on the DMZ interface then, it actually allows http to the internet and the inside network. Then I have to add deny statement after every allow statement to deny access to the internal network. Am I right or there is a better way of doing this.

Thanks you.

Correct Answer
Jithesh K Joy Wed, 01/21/2009 - 20:38

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

Actions

This Discussion