02-12-2009 01:05 PM - edited 03-11-2019 07:49 AM
Hi,
I have an ASA 5505 running 7.2.(4).
I have a dmz configured which can access the outside via the implicit rule to permit all traffic to less secure networks.
When I try to apply an access-list on the dmz interface to permit https access to a server inside, I can access the server but the "any less secure" rule does not apply anymore.
What am I missing? I guess it is not the correct way to do this?
Etienne
02-12-2009 01:37 PM
Every ACL contains contains an implicit deny. Therefore, when you apply the ACL on the DMZ interface to allow access to the inside, it will implicitly deny all other traffic that enters that interface. You need to add ACE's to your DMZ access list to permit traffic to the outside.
02-13-2009 05:16 AM
Thanks for your answer Eddie, that makes sense.
Could you give me an example of an ACE to permit all traffic from the dmz to the outside?
Thanks!
Etienne
02-13-2009 05:50 AM
I would add ACE's for your DMZ host(s) to access any destination outside, but for specific ports (80,443,udp53,etc). (In other words, don't use a permit ip any any statement) Hopefully, you are also using nat-control with static statements to further control traffic from the DMZ to the inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide