Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ outside access

I am having one of those moments where my brain is imploding....

I have an ASA running 8.x.

Inside = 100

DMZ = 30

Outside = 0

Am I correct in saying....

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: DMZ outside access

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Correct. More specifically it is allowed by default unless you have applied an acl to that interface.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

2 REPLIES
Hall of Fame Super Blue

Re: DMZ outside access

All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.

All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.

Correct. More specifically it is allowed by default unless you have applied an acl to that interface.

Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.

Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?

Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

New Member

Re: DMZ outside access

Thanks Jon. As usual, you are right.

210
Views
0
Helpful
2
Replies
CreatePlease to create content