Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access for for new DMZ

Dear All,

please help me to filter the traffic for a new dmz which i have created right now the follwing acl is under this new dmz

access-list TEST line 1 extended permit ip any any

but i want to allow certain subnets plus an old dmz to access the this new DMZ. i am not expert of FWSM so could you please he to wrire down this ACL ??

Regards

Malik

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

Access for for new DMZ

now above ACL which is mentioned is on every interafce

Is this ASA in production?  You should most definately remove this ACL from the outside interface if this a production ASA. Also I would suggest finding out what ports you need to allow on the other interfaces and only allow those ports and remove the permit ip any any.

The thing is that unless you remove the permit IP any any you will still be allowing all traffic through even if you configure more specific rules above the permit ip any any.

You should be able to decipher how to configure the ACLs by the config example I posted earlier.  But here it is anyway.

access-list new-to-old extended permit tcp 192.168.95.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 80

access-list old-to-new extended permit tcp 192.168.2.0 255.255.255.0 192.168.95.0 255.255.255.0 eq 80

access-group new-to-old in interface NEW-INTERFACE

access-group old-to-new in interface OLD-INTERFACE

Just adjust the ports you want to allow and/or IPs.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
VIP Green

Access for for new DMZ

Ok,  Then on the new and old DMZ interfaces remove the permit IP any any, and then add the ACLs permitting more specific ports.  As for the outside interface, I would suggest keeping the permit IP any any until you know 100% which ports you are to allow through that interface.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
8 REPLIES
VIP Green

Access for for new DMZ

I am assuming that the new DMZ is not to be able to initiate traffic to the old DMZ and the other subnets.

interface g0/1

description LAN

security-level 100

nameif LAN-subnet

ip address 10.10.10.1 255.255.255.0

interface g0/2

description Old-DMZ

security-level 50

nameif Old-DMZ

ip address 11.11.11.1 255.255.255.0

interface g0/3

description New-DMZ

security-level 50

nameif New-DMZ

ip address 12.12.12.1 255.255.255.0

access-list LAN-to-New-DMZ extended permit tcp 10.10.10.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 21

access-list Old-DMZ-to-New-DMZ extended perit tcp 11.11.11.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 80

access-group LAN-to-New-DMZ in interface LAN

access-group Old-DMZ-to-New-DMZ in interface Old-DMZ

same-security-traffic permit inter-interface

You could use objects when creating the ACLs but for the sake simplicity I have not done so here.  This will allow traffic that is initiated from the LAN and Old-DMZ to access the New-DMZ.  This configuration will however not allow the New-DMZ to initiate any traffic to either of those networks.  If the New-DMZ needs to be able to initiate traffic then you would also need to create an ACL and apply it to the New-DMZ interface.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Access for for new DMZ

Thanks Marius for your reply here the details

inside security level is 100

outside security level is zero

old DMZ security level is zero

New DMZ is security level 50

now above ACL which is mentioned is on every interafce and everything is working fine. from new DMZ i can access every thing but i want to filer more traffic to allow certain subnet's to access new DMZ and old and new dmz should be abale to communicate with each other

new DMZ = 192.168.95.0/24

old DMZ = 192.168.2.0/24

VIP Green

Access for for new DMZ

now above ACL which is mentioned is on every interafce

Is this ASA in production?  You should most definately remove this ACL from the outside interface if this a production ASA. Also I would suggest finding out what ports you need to allow on the other interfaces and only allow those ports and remove the permit ip any any.

The thing is that unless you remove the permit IP any any you will still be allowing all traffic through even if you configure more specific rules above the permit ip any any.

You should be able to decipher how to configure the ACLs by the config example I posted earlier.  But here it is anyway.

access-list new-to-old extended permit tcp 192.168.95.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 80

access-list old-to-new extended permit tcp 192.168.2.0 255.255.255.0 192.168.95.0 255.255.255.0 eq 80

access-group new-to-old in interface NEW-INTERFACE

access-group old-to-new in interface OLD-INTERFACE

Just adjust the ports you want to allow and/or IPs.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Access for for new DMZ

Thanks Marius i will try since FWSM is in production network

VIP Green

Access for for new DMZ

Ok since it is in production I would be very careful when removing the permit IP any any rule.  make sure you know all the ports which are in use and have then defined in the ACL before you remove it.  But you should for sure remove it on the outside interface and only allow specific ports into your network.

You could use packet capture, or SPAN the switch port which connects to the ASA  to see what ports are being used.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Access for for new DMZ

Marius i have another FW on perimeter which is doing traffic filtering so not an issue on outside interface, what i want to achieve is to allow subnet's lets say 192.168.10.0/24, 192.168.20.0/24 and 192.168.2.0/24 (old dmz) to communicate with 192.168.95.0/24 (new dmz) rest should be blocked, hope that i explained what i want

VIP Green

Access for for new DMZ

Ok,  Then on the new and old DMZ interfaces remove the permit IP any any, and then add the ACLs permitting more specific ports.  As for the outside interface, I would suggest keeping the permit IP any any until you know 100% which ports you are to allow through that interface.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Access for for new DMZ

Thanks Marius

130
Views
0
Helpful
8
Replies