Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Questions / Best Practices

Hello all,

I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.

I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside.  I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.

What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...

Now, my DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well.  Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any.  This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.  

My initial thoughts are to permit www / https to the DMZ subnets to any, and to use deny statements at my Inside interface ACL's from the DMZ IP's that I don't want these systems touching, but I'm just looking some opinions on the "right" way to accomplish this.

Thanks -



Re: ASA Questions / Best Practices

if you want to allow internet traffic from the DMZ and deny traffic to the inside you should add the deny statement from DMZ subnet to inside subnert at the beggining on the DMZ ACLs and then add the permit from DMZ to ANY.

I hope this helps.

New Member

Re: ASA Questions / Best Practices

Just to add to what Paul has said, if we have a rule to allow just Internet access, it is usually preceeded with an explicit deny to RFC1918 addresses:

object-group network RFC1918





access-list dmz_acl deny ip any object-group RFC1918

access-list dmz_acl permit tcp object-group DMZ-Net any object-group WEB-PORTS

Then you would add any other permits, such as to your inside network, above these lines.