cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
4
Helpful
4
Replies

DMZ to access internet

Wajma_2
Level 1
Level 1

Hello,

I have few servers placed on our DMZ, they all have static NAT, In order to access any port on the internet I need to put an ACL that allows traffic from DMZ to any. Shouldn't the DMZ by default be allowed to access the Internet, it is on higher security side.

Thanks and best regards

WO

1 Accepted Solution

Accepted Solutions

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

View solution in original post

4 Replies 4

Wajma_2
Level 1
Level 1

I forgot to mention the firewall is ASA 5520 version 7.0.

Hi Wajma,

You are correct. By default, any higher security level interface will be able to access the lower security level interface in ASA.

But when you apply any access-list(either permitt or deny ) to DMZ interface ,all other traffic will be blocked from DMZ zone because ASA adds 'deny ip any any' at the end of the access-list automatically. So all other traffic wii be denied except the ones which are implictly permitted.

1) All internet traffic will be permitted from DMZ if u do n't apply any access-list to DMZ

2) If you apply any access-list you need to specify all the allowed traffic from DMZ. All others will be dropped which are not permitted explictly. Remember 'deny ip any any' will be added automatically at the end of the access-list

Regards

Jithesh

Hi Jithesh,

Thank you for your response, now when I allow http to any on the DMZ interface then, it actually allows http to the internet and the inside network. Then I have to add deny statement after every allow statement to deny access to the internal network. Am I right or there is a better way of doing this.

Thanks you.

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: