Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Any to Any less secure networks disappears on dmz when configuring ACL

Hi,

I have an ASA 5505 running 7.2.(4).

I have a dmz configured which can access the outside via the implicit rule to permit all traffic to less secure networks.

When I try to apply an access-list on the dmz interface to permit https access to a server inside, I can access the server but the "any less secure" rule does not apply anymore.

What am I missing? I guess it is not the correct way to do this?

Etienne

3 REPLIES

Re: Any to Any less secure networks disappears on dmz when confi

Every ACL contains contains an implicit deny. Therefore, when you apply the ACL on the DMZ interface to allow access to the inside, it will implicitly deny all other traffic that enters that interface. You need to add ACE's to your DMZ access list to permit traffic to the outside.

New Member

Re: Any to Any less secure networks disappears on dmz when confi

Thanks for your answer Eddie, that makes sense.

Could you give me an example of an ACE to permit all traffic from the dmz to the outside?

Thanks!

Etienne

Re: Any to Any less secure networks disappears on dmz when confi

I would add ACE's for your DMZ host(s) to access any destination outside, but for specific ports (80,443,udp53,etc). (In other words, don't use a permit ip any any statement) Hopefully, you are also using nat-control with static statements to further control traffic from the DMZ to the inside.

1781
Views
0
Helpful
3
Replies
CreatePlease to create content