DMZ ACL

Unanswered Question
Sep 8th, 2009

Setting up a new DMZ on my ASA 5520 running 7.2(3). I want to allow by exception into the internal network, but allow everything out to the external network. I'm only using private addresses on the internal network. If I simply have a few permit statements in the acl, followed by deny to 10./8, 172.16/12, 192.168./16, that should cover all of the internal networks that I'm using (subnetted 172.16. & 10. networks), right?

At first I was trying to do a deny statement for each internal network, but that's going to be a pain to implement and maintain.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 09/08/2009 - 12:48

Yes you can use the masks. You can also group the networks together using an object group to make it even cleaner.

object-group network BLOCK_RFC_1918

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

access-list DMZ extended deny ip any object-group BLOCK_RFC_1918

Hope that helps

Actions

This Discussion