08-21-2010 04:45 PM - edited 03-11-2019 11:28 AM
We have an outside DNS server in our DMZ we maintain as well as an FTP server and McAfee Agent Handler for outside users to update virus definitions. Never needed an ACL on the DMZ interface until putting the McAfee box in. It has to have open ports to our SQL server on the inside as well as the McAfee ePO server. The McAfee box is the only box that has to have access to the inside network. All servers are accessed by outside users via an ACL on the outside interface (in)... normal stuff.
When I applied the ACL to the DMZ interface (in), the other boxes were not able to get to the internet via the outside interface. Security is set up as:
Outside = 0
DMZ = 50
Inside = 100
Again, normal stuff. Since the outside interface is a lower security interface than the DMZ interface, I didn't think I would have to implicity allow traffic from the DMZ to the outside after applying the ACL. DNS responses to queries were being dropped, and none of the servers could get to the Internet. The only thing that was working was what I had implicitly allowed with the ACL to the inside network from the McAfee box.
What am I missing?
08-21-2010 04:53 PM
Hello,
When you apply an ACL, the implicit policy is to deny all traffic. So, it
just allowed the traffic that was allowed by the ACL. Please try the
following:
access-list permit ip any any
This will ensure that only the McAfee box has access to inside subnet and
everybody will have access to internet.
Hope this helps.
Regards,
NT
08-21-2010 05:25 PM
Well, not really. If I were to allow all traffic from all devices in my DMZ to anywhere... why not just put them on the inside?
I really think the answer to my question is to build a separate dmz for the McAfee box since its the only one that really needs to communicate to the inside (sql and some other tcp ports). The other two boxes, FTP and DNS server, don't need to source any traffic to the inside... no need for an ACL.
Just trying to determine what best practices are.
08-21-2010 05:27 PM
Hello,
The second line in the access-list actually denies other servers access to
the inside subnet.
Regards,
NT
08-21-2010 05:28 PM
Hello,
My bad. The access-list I actually posted did not come through. Here is the message again:
Hello,
When you apply an ACL, the implicit policy is to deny all traffic. So, it just allowed the traffic that was allowed by the ACL. Please try the following:
access-list
access-list
access-list
This will ensure that only the McAfee box has access to inside subnet and everybody will have access to internet.
Hope this helps.
Regards,
NT
My original message was truncated. Here is the full text of it. Message was edited by: Nagaraja Thanthry
08-21-2010 05:56 PM
Writing the ACL is not my problem . I guess I'm not giving enough detail. I didn't forsee having to allow traffic speicfically from DMZ servers to the outside when I applied the ACL against the DMZ interface (in). I guess I was thinking that since the outside interface was a lower security than the DMZ, traffic sourced from the DMZ to the outside would be allowed by default... even after the ACL was applied. Wrong...!
I was hoping that I was just not thinking about some easier way to do this. I can fix the ACL to allow traffic as needed in whatever direction, but it will be a complicated list for just the three servers that are in there. Remember, we have an outside DNS server that must be able to respond to queries to anyone on the Internet. At the same time, I don't want to give that server access to my inside subnets. Same thing for the FTP server. It neds to be able to get to the Ineternet.
McAfee server needs to get to the inside over 3 specific TCP ports
McAfee server needs to be accessible from the outside over http to anyone (outside ACL takes care of this)
McAfee server needs to be able to get Microsoft updates from the outside
FTP server needs to be accessible to vendors (outside ACL takes care of this)
FTP server needs to be able to access the Internet for updates and NTP
DNS server needs to be accessible to the outside over UDP port 53 for queries (outside ACL takes care of this)
DNS server needs to be able to access to the outside for updates and respond to queries
When I applied the acl to the DMZ interface (in), it killed all the servers access the Internet and also replies from the DNS server.
To be clear, I know I can write some specific rules to allow traffic as needed from the DMZ, but I guess what I'm looking for is suggestions if there is a better way or more of a best practices way of doing this.
08-21-2010 06:16 PM
Hello,
You can certainly create a new DMZ for the new server. But then again, you
need to change your access rules to allow communication between different
interfaces. Typically, you control the traffic through access-list rules. As
soon as you apply one rule to the interface, the default policy i.e.
implicit deny will come into picture. So, you generally need to control the
traffic through access-list rules.
Hope this helps.
Regards,
NT
08-21-2010 05:48 PM
Hello,
Please check the updated note with the access-list entries.
Regards,
NT
08-22-2010 05:34 AM
Hi Chris,
Whatever Nagarja has said above is certainly true.
You can get the demo of same using packet-tracer.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Please try using packer tracer in both scenarios (plain interface & in ACL placed interface as well) which will give us more clarity.
However would like to see the rule which you referring...would be great if you can post url here..
Yes, creating another Zone would be good idea to have isolate services as per requirement...but still ACL manipulation is required.
Regards
Yogesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: