Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2778
Views
0
Helpful
3
Replies

Any to Any less secure networks disappears on dmz when configuring ACL

eringuet
Level 1
Level 1

‎02-12-2009 01:05 PM - edited ‎03-11-2019 07:49 AM

Hi,

I have an ASA 5505 running 7.2.(4).

I have a dmz configured which can access the outside via the implicit rule to permit all traffic to less secure networks.

When I try to apply an access-list on the dmz interface to permit https access to a server inside, I can access the server but the "any less secure" rule does not apply anymore.

What am I missing? I guess it is not the correct way to do this?

Etienne

Labels:
0 Helpful
3 Replies 3

eddie.mitchell
Level 3
Level 3

‎02-12-2009 01:37 PM

Every ACL contains contains an implicit deny. Therefore, when you apply the ACL on the DMZ interface to allow access to the inside, it will implicitly deny all other traffic that enters that interface. You need to add ACE's to your DMZ access list to permit traffic to the outside.

0 Helpful

eringuet
Level 1
Level 1
In response to eddie.mitchell

‎02-13-2009 05:16 AM

Thanks for your answer Eddie, that makes sense.

Could you give me an example of an ACE to permit all traffic from the dmz to the outside?

Thanks!

Etienne

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to eringuet

‎02-13-2009 05:50 AM

I would add ACE's for your DMZ host(s) to access any destination outside, but for specific ports (80,443,udp53,etc). (In other words, don't use a permit ip any any statement) Hopefully, you are also using nat-control with static statements to further control traffic from the DMZ to the inside.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card