Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL and default traffic flow from higher to lower interface question

Hello all,

This may be a fairly simple question to answer, but I did some searching and couldn't find a good answer. By default ASA's will allow traffic from a high security interface to a lower secuirt interface. Such as the inside(100) to outside(0) and dmz(50) or dmz to outside(0). If you apply an ACL incoming on that interface is the higher to lower interface behavior still present? I want to do some egrees filtering on my dmz interface, but still want it to be able to access the outside network. I want to block my inside interface from being able to access my DMZ at all. Any good suggestions on how to do this?

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ACL and default traffic flow from higher to lower interface ques

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

5 REPLIES
Bronze

ACL and default traffic flow from higher to lower interface ques

Alan,

The ACL bypasses the high to lower rule.

If you want to block access from inside to DMZ, you can change security level on DMZ to 100.

Or if you want to use ACL.

int g0/1

nameif inside

ip addresses 192.168.1.0 255.255.255.0

int g0/2

nameif dmz

ip address 172.16.0.0 255.255.255.0

access-list name deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list name permit ip any any

access-group name in interface inside

hope this helps,

Felipe.

New Member

ACL and default traffic flow from higher to lower interface ques

Hey Felipe,

That does help, but I need clafication on one part. Does the Access-list work along side the default behavior to allow traffic from a higher security interface to a lower secuirty interface or does it replaces that behavior?

Thanks,

Alan

Bronze

ACL and default traffic flow from higher to lower interface ques

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

New Member

ACL and default traffic flow from higher to lower interface ques

Ok thanks for the info!

An example of this would be if my inside interface was 192.168.1.0 and my dmz was 192.168.2.0. I would need a statement like this? static (inside,dmz) 192.168.2.0 192.168.1.0 255.255.255.0

Best Regards,

Alan

Bronze

ACL and default traffic flow from higher to lower interface ques

Alan,

You can do:

nat (inside) 1 192.168.1.0 255.255.255.0

global (dmz) 1 interface

or

static (inside,dmz) 192.168.1.0 192.168.1.0

Felipe.

1097
Views
0
Helpful
5
Replies
CreatePlease login to create content