Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACL issues on a 5520 running 8.2

We have an outside DNS server in our DMZ we maintain as well as an FTP server and McAfee Agent Handler for outside users to update virus definitions.  Never needed an ACL on the DMZ interface until putting the McAfee box in.  It has to have open ports to our SQL server on the inside as well as the McAfee ePO server.  The McAfee box is the only box that has to have access to the inside network.  All servers are accessed by outside users via an ACL on the outside interface (in)... normal stuff.

When I applied the ACL to the DMZ interface (in), the other boxes were not able to get to the internet via the outside interface.  Security is set up as:

Outside = 0

DMZ = 50

Inside = 100

Again, normal stuff.  Since the outside interface is a lower security interface than the DMZ interface, I didn't think I would have to implicity allow traffic from the DMZ to the outside after applying the ACL.  DNS responses to queries were being dropped, and none of the servers could get to the Internet.  The only thing that was working was what I had implicitly allowed with the ACL to the inside network from the McAfee box.

What am I missing?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
8 REPLIES
Cisco Employee

Re: ACL issues on a 5520 running 8.2

Hello,

When you apply an ACL, the implicit policy is to deny all traffic. So, it

just allowed the traffic that was allowed by the ACL. Please try the

following:

access-list permit ip any any

This will ensure that only the McAfee box has access to inside subnet and

everybody will have access to internet.

Hope this helps.

Regards,

NT

Re: ACL issues on a 5520 running 8.2

Well, not really.  If I were to allow all traffic from all devices in my DMZ to anywhere... why not just put them on the inside?

I really think the answer to my question is to build a separate dmz for the McAfee box since its the only one that really needs to communicate to the inside (sql and some other tcp ports).  The other two boxes, FTP and DNS server, don't need to source any traffic to the inside... no need for an ACL.

Just trying to determine what best practices are.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Cisco Employee

Re: ACL issues on a 5520 running 8.2

Hello,

The second line in the access-list actually denies other servers access to

the inside subnet.

Regards,

NT

Cisco Employee

Re: ACL issues on a 5520 running 8.2

Hello,

My bad. The access-list I actually posted did not come through. Here is the message again:

Hello,

When you apply an ACL, the implicit policy is to deny all traffic. So, it just allowed the traffic that was allowed by the ACL. Please try the following:

access-list permit ip host any

access-list deny ip any

access-list permit ip any any

This will ensure that only the McAfee box has access to inside subnet and everybody will have access to internet.

Hope this helps.

Regards,

NT

My original message was truncated. Here is the full text of it. Message was edited by: Nagaraja Thanthry

Re: ACL issues on a 5520 running 8.2

Writing the ACL is not my problem .   I guess I'm not giving enough detail.  I didn't forsee having to allow traffic speicfically from DMZ servers to the outside when I applied the ACL against the DMZ interface (in).  I guess I was thinking that since the outside interface was a lower security than the DMZ, traffic sourced from the DMZ to the outside would be allowed by default... even after the ACL was applied. Wrong...!

I was hoping that I was just not thinking about some easier way to do this.  I can fix the ACL to allow traffic as needed in whatever direction, but it will be a complicated list for just the three servers that are in there.  Remember, we have an outside DNS server that must be able to respond to queries to anyone on the Internet.  At the same time, I don't want to give that server access to my inside subnets.  Same thing for the FTP server.  It neds to be able to get to the Ineternet.

McAfee server needs to get to the inside over 3 specific TCP ports

McAfee server needs to be accessible from the outside over http to anyone (outside ACL takes care of this)

McAfee server needs to be able to get Microsoft updates from the outside

FTP server needs to be accessible to vendors (outside ACL takes care of this)

FTP server needs to be able to access the Internet for updates and NTP

DNS server needs to be accessible to the outside over UDP port 53 for queries (outside ACL takes care of this)

DNS server needs to be able to access to the outside for updates and respond to queries

When I applied the acl to the DMZ interface (in), it killed all the servers access the Internet and also replies from the DNS server.

To be clear, I know I can write some specific rules to allow traffic as needed from the DMZ, but I guess what I'm looking for is suggestions if there is a better way or more of a best practices way of doing this.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Cisco Employee

Re: ACL issues on a 5520 running 8.2

Hello,

You can certainly create a new DMZ for the new server. But then again, you

need to change your access rules to allow communication between different

interfaces. Typically, you control the traffic through access-list rules. As

soon as you apply one rule to the interface, the default policy i.e.

implicit deny will come into picture. So, you generally need to control the

traffic through access-list rules.

Hope this helps.

Regards,

NT

Cisco Employee

Re: ACL issues on a 5520 running 8.2

Hello,

Please check the updated note with the access-list entries.

Regards,

NT

Re: ACL issues on a 5520 running 8.2

Hi Chris,

Whatever Nagarja has said above is certainly true.

You can get the demo of same using packet-tracer.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Please try using packer tracer in both scenarios (plain interface & in ACL placed interface as well) which will give us more clarity.

However would like to see the rule which you referring...would be great if you can post url here..

Yes, creating another Zone would be good idea to have isolate services as per requirement...but still ACL manipulation is required.

Regards

Yogesh

231
Views
0
Helpful
8
Replies
CreatePlease login to create content