Question

Answered Question
May 19th, 2009
User Badges:

As I have muddled through setting up and working on a firewall, I have a couple questions:

1. When you create a inbound (incoming) rule (for example permitting http traffic) from a lower security interface (DMZ) to a higher security interface (inside), do you need to have a rule on the 'inside' interface in the outbound direction to allow the http traffic through? Or does the incoming rule on the lower security interface (DMZ) take care of that? Maybe my question is really, is there an implied outgoing ACL on the inside interface that would stopped traffic coming from a DMZ interface?

2. When you apply rules to an interface, where is the best place to apply them - incoming or outgoing? I am assuming closest to the sending device correct?


Correct Answer by Jon Marshall about 7 years 10 months ago

"access-list DMZ_access_in extended permit tcp any any eq www


will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"


If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.


"or a lower security interface for that matter)"


yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.


"Sorry for all the questions, I just want to be sure I have a clear understanding."


No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want :-)


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 05/19/2009 - 08:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

1) A firewall such as the pix/ASA is stateful so if you allow traffic through from a lower to higher security interface then the return traffic is automatically allowed. Note that this applies to TCP/UDP and now ICMP.


But for example if you wanted to allow GRE through your firewall you would need to allow it both ways as it is not stateful.


However TCP/UDP account for the vast majority of traffic and things like GRE are the exception rather than the rule.


2) As close to source as possible is best so usually acl's are applied in an inbound direction.


Jon

oneirishpollack Tue, 05/19/2009 - 09:33
User Badges:

And just to be clear, there is no implicit ACL in an outbound direction is you don't specifically have one applied?

Jon Marshall Tue, 05/19/2009 - 10:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

There is no implict acl in any direction from a higher to a lower security interface ie. traffic will be allowed by default from a higher to lower security interface.


Jon

oneirishpollack Tue, 05/19/2009 - 10:41
User Badges:

And from a lower (DMZ) to a higher interface (inside), as long as there is an incoming rule on the lower interface (DMZ) that allows the traffic through, it will be able to access devices on the higher security interface.


So this:


access-list DMZ_access_in extended permit tcp any any eq www


will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?


Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.



oneirishpollack Tue, 05/19/2009 - 10:41
User Badges:

And from a lower (DMZ) to a higher interface (inside), as long as there is an incoming rule on the lower interface (DMZ) that allows the traffic through, it will be able to access devices on the higher security interface.


So this:


access-list DMZ_access_in extended permit tcp any any eq www


will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?


Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.



Correct Answer
Jon Marshall Tue, 05/19/2009 - 10:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"access-list DMZ_access_in extended permit tcp any any eq www


will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"


If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.


"or a lower security interface for that matter)"


yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.


"Sorry for all the questions, I just want to be sure I have a clear understanding."


No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want :-)


Jon

Actions

This Discussion