Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
8
Replies

Access for for new DMZ

Go to solution
Faisal Shabbir
Level 1
Level 1

‎02-15-2014 05:42 AM - edited ‎03-11-2019 08:46 PM

Dear All,

please help me to filter the traffic for a new dmz which i have created right now the follwing acl is under this new dmz

access-list TEST line 1 extended permit ip any any

but i want to allow certain subnets plus an old dmz to access the this new DMZ. i am not expert of FWSM so could you please he to wrire down this ACL ??

Regards

Malik

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Faisal Shabbir

‎02-15-2014 07:50 AM 

now above ACL which is mentioned is on every interafce

Is this ASA in production?  You should most definately remove this ACL from the outside interface if this a production ASA. Also I would suggest finding out what ports you need to allow on the other interfaces and only allow those ports and remove the permit ip any any.

The thing is that unless you remove the permit IP any any you will still be allowing all traffic through even if you configure more specific rules above the permit ip any any.

You should be able to decipher how to configure the ACLs by the config example I posted earlier.  But here it is anyway.

access-list new-to-old extended permit tcp 192.168.95.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 80

access-list old-to-new extended permit tcp 192.168.2.0 255.255.255.0 192.168.95.0 255.255.255.0 eq 80

access-group new-to-old in interface NEW-INTERFACE

access-group old-to-new in interface OLD-INTERFACE

Just adjust the ports you want to allow and/or IPs.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Faisal Shabbir

‎02-15-2014 08:16 AM

Ok,  Then on the new and old DMZ interfaces remove the permit IP any any, and then add the ACLs permitting more specific ports.  As for the outside interface, I would suggest keeping the permit IP any any until you know 100% which ports you are to allow through that interface.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marius Gunnerud
VIP
VIP

‎02-15-2014 07:22 AM

I am assuming that the new DMZ is not to be able to initiate traffic to the old DMZ and the other subnets.

interface g0/1

description LAN

security-level 100

nameif LAN-subnet

ip address 10.10.10.1 255.255.255.0

interface g0/2

description Old-DMZ

security-level 50

nameif Old-DMZ

ip address 11.11.11.1 255.255.255.0

interface g0/3

description New-DMZ

security-level 50

nameif New-DMZ

ip address 12.12.12.1 255.255.255.0

access-list LAN-to-New-DMZ extended permit tcp 10.10.10.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 21

access-list Old-DMZ-to-New-DMZ extended perit tcp 11.11.11.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 80

access-group LAN-to-New-DMZ in interface LAN

access-group Old-DMZ-to-New-DMZ in interface Old-DMZ

same-security-traffic permit inter-interface

You could use objects when creating the ACLs but for the sake simplicity I have not done so here.  This will allow traffic that is initiated from the LAN and Old-DMZ to access the New-DMZ.  This configuration will however not allow the New-DMZ to initiate any traffic to either of those networks.  If the New-DMZ needs to be able to initiate traffic then you would also need to create an ACL and apply it to the New-DMZ interface.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Marius Gunnerud

‎02-15-2014 07:34 AM

Thanks Marius for your reply here the details

inside security level is 100

outside security level is zero

old DMZ security level is zero

New DMZ is security level 50

now above ACL which is mentioned is on every interafce and everything is working fine. from new DMZ i can access every thing but i want to filer more traffic to allow certain subnet's to access new DMZ and old and new dmz should be abale to communicate with each other

new DMZ = 192.168.95.0/24

old DMZ = 192.168.2.0/24

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Faisal Shabbir

‎02-15-2014 07:50 AM 

now above ACL which is mentioned is on every interafce

Is this ASA in production?  You should most definately remove this ACL from the outside interface if this a production ASA. Also I would suggest finding out what ports you need to allow on the other interfaces and only allow those ports and remove the permit ip any any.

The thing is that unless you remove the permit IP any any you will still be allowing all traffic through even if you configure more specific rules above the permit ip any any.

You should be able to decipher how to configure the ACLs by the config example I posted earlier.  But here it is anyway.

access-list new-to-old extended permit tcp 192.168.95.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 80

access-list old-to-new extended permit tcp 192.168.2.0 255.255.255.0 192.168.95.0 255.255.255.0 eq 80

access-group new-to-old in interface NEW-INTERFACE

access-group old-to-new in interface OLD-INTERFACE

Just adjust the ports you want to allow and/or IPs.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Marius Gunnerud

‎02-15-2014 07:55 AM

Thanks Marius i will try since FWSM is in production network

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Faisal Shabbir

‎02-15-2014 08:01 AM

Ok since it is in production I would be very careful when removing the permit IP any any rule.  make sure you know all the ports which are in use and have then defined in the ACL before you remove it.  But you should for sure remove it on the outside interface and only allow specific ports into your network.

You could use packet capture, or SPAN the switch port which connects to the ASA  to see what ports are being used.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Marius Gunnerud

‎02-15-2014 08:09 AM

Marius i have another FW on perimeter which is doing traffic filtering so not an issue on outside interface, what i want to achieve is to allow subnet's lets say 192.168.10.0/24, 192.168.20.0/24 and 192.168.2.0/24 (old dmz) to communicate with 192.168.95.0/24 (new dmz) rest should be blocked, hope that i explained what i want

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Faisal Shabbir

‎02-15-2014 08:16 AM

Ok,  Then on the new and old DMZ interfaces remove the permit IP any any, and then add the ACLs permitting more specific ports.  As for the outside interface, I would suggest keeping the permit IP any any until you know 100% which ports you are to allow through that interface.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Marius Gunnerud

‎02-15-2014 08:18 AM

Thanks Marius

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card