cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
391
Views
0
Helpful
2
Replies

DMZ outside access

oneirishpollack
Level 1
Level 1

I am having one of those moments where my brain is imploding....

I have an ASA running 8.x.

Inside = 100

DMZ = 30

Outside = 0

Am I correct in saying....

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Correct. More specifically it is allowed by default unless you have applied an acl to that interface.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Correct. More specifically it is allowed by default unless you have applied an acl to that interface.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Thanks Jon. As usual, you are right.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: