01-20-2009 03:54 PM - edited 03-11-2019 07:39 AM
Hello,
I have few servers placed on our DMZ, they all have static NAT, In order to access any port on the internet I need to put an ACL that allows traffic from DMZ to any. Shouldn't the DMZ by default be allowed to access the Internet, it is on higher security side.
Thanks and best regards
WO
Solved! Go to Solution.
01-21-2009 08:38 PM
Hi Wajma,
If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.
Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.
Another effective way of doing this is Policy NAT & Static Policy NAT.
Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.
Please visit the following URL for more info: about this
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
Regards
Jithesh
01-20-2009 04:18 PM
I forgot to mention the firewall is ASA 5520 version 7.0.
01-20-2009 08:21 PM
Hi Wajma,
You are correct. By default, any higher security level interface will be able to access the lower security level interface in ASA.
But when you apply any access-list(either permitt or deny ) to DMZ interface ,all other traffic will be blocked from DMZ zone because ASA adds 'deny ip any any' at the end of the access-list automatically. So all other traffic wii be denied except the ones which are implictly permitted.
1) All internet traffic will be permitted from DMZ if u do n't apply any access-list to DMZ
2) If you apply any access-list you need to specify all the allowed traffic from DMZ. All others will be dropped which are not permitted explictly. Remember 'deny ip any any' will be added automatically at the end of the access-list
Regards
Jithesh
01-21-2009 08:51 AM
Hi Jithesh,
Thank you for your response, now when I allow http to any on the DMZ interface then, it actually allows http to the internet and the inside network. Then I have to add deny statement after every allow statement to deny access to the internal network. Am I right or there is a better way of doing this.
Thanks you.
01-21-2009 08:38 PM
Hi Wajma,
If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.
Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.
Another effective way of doing this is Policy NAT & Static Policy NAT.
Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.
Please visit the following URL for more info: about this
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
Regards
Jithesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: