Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access rules versus security level

Hi all,

Overview/Facts

Firewall: ASA

Security Level:

Outside - 0

DMZ - 10

Inside - 100

Access Rules in Question (ALL INCOMING):

Outside - implicit any | any | IP | DENY

DMZ - implicit any | any | IP | PERMIT

Inside - implicit any | any | IP | PERMIT

Situation/Confusion

It is my understanding, please correct me if I am wrong, the security level requires that the Inside interface must initiate traffic to the DMZ or Outside interface for traffic to come back in the Inside interface. With that said, I seen the access rule for the Inside interface that is implicit and gives IP permission from any to any.

Question

Wouldn't the fact that the Inside interface has an implicit IP any/any permit access rule totally negate the reasoning behind having a DMZ with a security level of 10 and and Inside interface with a security level of 100? I guess what I am trying to say is, is it a good idea to have this rule? Wouldn't it be more security if you set access rules for specific DMZ appliances that will be talking back to the Inside?

Thanks in advance for your time.

2 REPLIES
New Member

Access rules versus security level

Tony,

On the ASA by default without any access list, you will have a implicit permit ip any to any less secure networks.

With this been said by default you will be able to go from DMZ to outisde with no problem, but no to Inside and from Inside to outside or DMZ wiout problem. Just needing NAT.

If you want the DMZ to access you indeed will net to add access rules to be able to do this, you can be more explicit if you want.

To add specific ACL to access on inside.

Hope this will help to answer you question

New Member

Access rules versus security level

Do you know if it is industry standard to do an implicit any any IP Permit on the incoming Inside interface? It just seems this is less secure than access rules that are more specific like going from Machine A in DMZ to Machine X in Inside LAN. Does that make sense? Thank you for the reply. It helped clarify things.

426
Views
0
Helpful
2
Replies
CreatePlease login to create content