DMZ outside access

Answered Question
Mar 30th, 2010
User Badges:

I am having one of those moments where my brain is imploding....


I have an ASA running 8.x.

Inside = 100

DMZ = 30

Outside = 0


Am I correct in saying....


All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.


All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.


Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.


Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

Correct Answer by Jon Marshall about 7 years 4 months ago

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.


Correct. More specifically it is allowed by default unless you have applied an acl to that interface.


Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?


Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 03/30/2010 - 05:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.


Correct. More specifically it is allowed by default unless you have applied an acl to that interface.


Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?


Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Actions

This Discussion