Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA DMZ Access

Hi,

I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?

Would you have to create the ACL to say deny SMTP Server using TCP 25 to 192.168.0.0 etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?

So how would you configure something like this? Hope this makes sense.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA DMZ Access

Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???

Rememeber as the end of an acl is a default deny all??????

4 REPLIES

Re: ASA DMZ Access

Mike,

On the ASA,

Outside Interface Security Level 0

Inside Interface security level 100

The above are defaults and cannot be changed.

The rule is this:-

Traffic from an interface with a higher security level can pass to a an interface with a lower security level by default - no acl required.

Traffic from an interface with a lower security level cannot pass to an interface with a higher security level without an acl that permits the traffic.

If you have a DMZ - the security level cannot be set higher than the inside or lower than the outside.

HTH>

New Member

Re: ASA DMZ Access

Hi,

Thanks for your reply. I was aware of those points already but its appreciated. To be honest I think I answered my own question I was just having a stupid moment! I would just need to stick the deny statements then the permit all. Just wondered about other ways and best practices etc.

Thanks

Re: ASA DMZ Access

Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???

Rememeber as the end of an acl is a default deny all??????

New Member

Re: ASA DMZ Access

Hi sorry not the best wording. For example you have an SMTP relay in the DMZ. Needs to be able to get anywhere on the Internet and to one host internally. I meant you would just have to configure it as

access-list dmz-in extended permit tcp host x.x.x.x host y.y.y.y eq 25

access-list dmz-in extended deny ip host x.x.x.x y.y.y.y 255.255.255.0

access-list dmz-in extended permit tcp host x.x.x.x any eq 25

The deny all wouldn't have helped protect internal networks if you use a permit any tcp 25.

As I say I wouldn't worry! I was having a dumb moment

236
Views
3
Helpful
4
Replies