Any to Any less secure networks disappears on dmz when configuring ACL

Unanswered Question


I have an ASA 5505 running 7.2.(4).

I have a dmz configured which can access the outside via the implicit rule to permit all traffic to less secure networks.

When I try to apply an access-list on the dmz interface to permit https access to a server inside, I can access the server but the "any less secure" rule does not apply anymore.

What am I missing? I guess it is not the correct way to do this?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
eddie.mitchell@... Thu, 02/12/2009 - 13:37

Every ACL contains contains an implicit deny. Therefore, when you apply the ACL on the DMZ interface to allow access to the inside, it will implicitly deny all other traffic that enters that interface. You need to add ACE's to your DMZ access list to permit traffic to the outside.

eddie.mitchell@... Fri, 02/13/2009 - 05:50

I would add ACE's for your DMZ host(s) to access any destination outside, but for specific ports (80,443,udp53,etc). (In other words, don't use a permit ip any any statement) Hopefully, you are also using nat-control with static statements to further control traffic from the DMZ to the inside.


This Discussion