ASA Questions / Best Practices

Unanswered Question
Apr 25th, 2011

Hello all,


I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.

I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside.  I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.

What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...

Now, my DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well.  Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any.  This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.  

My initial thoughts are to permit www / https to the DMZ subnets to any, and to use deny statements at my Inside interface ACL's from the DMZ IP's that I don't want these systems touching, but I'm just looking some opinions on the "right" way to accomplish this.

Thanks -


J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Paul Gilbert Arias Mon, 04/25/2011 - 14:58

if you want to allow internet traffic from the DMZ and deny traffic to the inside you should add the deny statement from DMZ subnet to inside subnert at the beggining on the DMZ ACLs and then add the permit from DMZ to ANY.

I hope this helps.

john.dowson Tue, 04/26/2011 - 08:18

Just to add to what Paul has said, if we have a rule to allow just Internet access, it is usually preceeded with an explicit deny to RFC1918 addresses:

object-group network RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0


...

access-list dmz_acl deny ip any object-group RFC1918

access-list dmz_acl permit tcp object-group DMZ-Net any object-group WEB-PORTS

Then you would add any other permits, such as to your inside network, above these lines.

Actions

Login or Register to take actions

This Discussion

Posted April 25, 2011 at 2:27 PM
Stats:
Replies:2 Avg. Rating:5
Views:417 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446