Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ access

I'm new to setting up firewalls and I have a new ASA 5510 that I'm configuring. The way I understand security levels, inside interface traffic should be able to access DMZ resources because the DMZ interface has a lower security level. However I believe I need to add an access-list so the DMZ traffic can pass to inside interface resources. Is that correct?

If my assumptions are correct I have two additional questions:

1. I have a web server in my DMZ and some of the websites need to access server resources on the inside (specifically SQL DBs in most cases). Would the following command work for a website at 192.168.0.37 to access a SQL DB at 192.168.200.5?

DMZ - 192.168.0.0/24

Inside - 192.168.200.0/21

access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

2. I need to be able to remote control the web server through RDC for administration from the inside. Would the following work?

access-list dmz extended permit tcp host 192.168.0.25 any eq 3389

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: DMZ access

No problem.

"I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ"

-Yes, until you add an access-list into the dmz interface. Once you add the acl there is always an explicit "deny ip any any" at the end of the acl. So you acl really looks like this...

access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended deny ip any any

Therefore you need to add the "permit ip any any" before the explicit deny.

5 REPLIES
Green

Re: DMZ access

"However I believe I need to add an access-list so the DMZ traffic can pass to inside interface resources. Is that correct?"

-Yes.

"Would the following command work for a website at 192.168.0.37 to access a SQL DB at 192.168.200.5?

access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet "

-Yes. But you would also want to add this...

access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended permit ip any any

"I need to be able to remote control the web server through RDC for administration from the inside. Would the following work?

access-list dmz extended permit tcp host 192.168.0.25 any eq 3389 "

-You would not need to specify this traffic in the acl as the traffic is initiating from the inside(if I understood you correctly).

Also, for the networks on the inside which will need to have access to the dmz, you want to add a static like so...

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

New Member

Re: DMZ access

"access-list dmz extended deny ip any 192.168.200.0 255.255.255.0"

- Will this prevent all traffic from the DMZ to the inside except for the specific entries listed above it (i.e. the SQLnet ACE)?

"access-list dmz extended permit ip any any"

- I'm not sure what the purpose of this ACE is. Wouldn't it allow traffic from anywhere except the 200.0 subnet into the inside?

"You would not need to specify this traffic in the acl as the traffic is initiating from the inside(if I understood you correctly)."

- So, if I initiate traffic from the inside to the DMZ, response traffic back to the inside will be allowed regardless?

Green

Re: DMZ access

"I'm not sure what the purpose of this ACE is. Wouldn't it allow traffic from anywhere except the 200.0 subnet into the inside?"

-Once you have allowed what you want from dmz to inside, then denied all other from dmz to inside, you must add the permit ip any any if you want the dmz to be able to go outside as well. Remember, this acl is applied into the dmz interface, it not only inspects traffic from dmz to inside, but dmz to anywhere. If you didn't add this, the machines on the dmz would not be able to access the internet.

"So, if I initiate traffic from the inside to the DMZ, response traffic back to the inside will be allowed regardless?"

-Yes, that's the whole point of a stateful firewall.

New Member

Re: DMZ access

First, thank you for all your help and you can be sure I will be rating your comments on this topic.

I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ -> inside example? Then you wouldn't need the ACE that allows any IP.

Green

Re: DMZ access

No problem.

"I'm not understanding something...if the outside interface security level is lower than the DMZ interface wouldn't traffic initiated from the DMZ to the outside be allowed just as you described above in the DMZ"

-Yes, until you add an access-list into the dmz interface. Once you add the acl there is always an explicit "deny ip any any" at the end of the acl. So you acl really looks like this...

access-list dmz extended permit tcp host 192.168.0.37 host 192.168.200.5 eq sqlnet

access-list dmz extended deny ip any 192.168.200.0 255.255.255.0

access-list dmz extended deny ip any any

Therefore you need to add the "permit ip any any" before the explicit deny.

395
Views
0
Helpful
5
Replies
CreatePlease login to create content