I'm configuring an ASA 5505 with the Security Plus bundle running Version 7.2(4) Software. I'm trying to get my DMZ setup correctly. I have successfully got inbound access to my DMZ from my inside interface working so I can remotely manage my DMZ servers and I have outside and inside access INBOUND working to my web servers and DNS Servers. However, I'm having difficulty getting my mail and DNS servers to make any outbound connections to either my inside or outside interface. I need this for sending email, performing DNS lookups for email and allowing all my servers to access vendor OS updating services. Can someone post the current CLI syntax for allowing a DMZ host to access outside interface connections? I found some examples by searching other posts but they are all several years old and the syntax has changed enough that I'm having trouble getting any of them to work.
Wolf @ CyberWolves
You need to configure the following:-
Follow the config you used for Inside to Outside access.
By default any traffic from a higher security interface to a lower security interface is permitted by default.
Thanks for the quick response. This raises two additional questions for me.
First: The ASDM set-up script generated the inside setting for allowing all outbound traffic by default so I don't know the CLI syntax for replicating that on the DMZ interface. Can you please provide that?
Second: While I was searching Cisco support trying to figure out how to do this on my own I found a rather old (2002) whitepaper that discussed the merits of creating and using a DMZ. In that paper it recommended that the DMZ be in the most locked state possible and further recommended only allowing those specific hosts and ports that required self initiated outbound traffic (mail servers was the example) to have it. Unfortunately, it didn't give an example of how to do that. If I wanted to follow this recommendation, what would the syntax be to permit a specific host (and perhaps port) to access the outside interface? Or, in your opinion is this really necessary for security reasons?
OK - I don't use the ASDM, but generally I do the following when I have a requirement for a DMZ:-
1) outside interface - security 0
2) inside interface - security 100
3) DMZ interface - security level 50
This means the following:-
1) Any traffic originating from the internet (outside) will not be permitted to the inside or DMZ without an explicit acl that permits the traffic
2) Any traffic originating from the inside is permitted by default to flow out of the outside and DMZ interfaces
3) If you want to allow devices on the DMZ to be able to initiate traffic to the inside interface it requires an explicit permit acl.
Regarding the DMZ - I personally dont allow any servers in the DMZ access the inside unless it's really required.
"By default any traffic from a higher security interface to a lower security interface is permitted by default."
When you say "any", that is NOT correct.
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 0. Other networks, such as a home network can be in-between. You can assign interfaces to the same security level.
The level controls the following behavior:
â¢Network access-By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
This is helpful. Here is what I have:
Outside Interface is set to Security level 0
DMZ interface is set to Security Level 50
Inside Interface is set to Security Level 100
If I'm reading the posts and documentation from the link provided correctly my Inside and DMZ should both have outbound traffic permitted to the Outside interface it they both have higher security levels. Obviously the reverse is true and Outside interface is explicitly denied from allowing anything initiated from the outside (i.e., Internet in my case) to access either the Inside or DMZ without an ACL permitting since it is a lower security to both of them.
Since the DMZ should be allowing traffic to a lower security interface such as my outside interface; but it is NOT doing that now; then I must have a ACL specifically blocking the traffic. Is that a correct assessment? Now, I just need to try and figure what ACL is doing this. I'm not aware of issuing such an ACL (at least not intentionally). By the way, in case everyone hasn't figured this out yet; I'm pretty new to trying to configure the ASA series devices and am not a real strong Cisco OS person so I really appreciate everyone's patience and help in getting me through this.
Attached is a sanitized version of my configuration in case someone can help me understand why this isn't working as it should be?
"Network access-By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface."
Does it work for icmp "echo-reply" as well? Let say you internal host of 192.168.1.1 want to ping a host on the Inernet of 126.96.36.199. Will the "echo-reply" make it back to you internal host with the statement you made above?
That's my point.
Specifically "Hosts on the higher security interface can access any host on a lower security interface"
This is refering to TCP/UDP over IP - this will work every single time.
echo-reply is ICMP - which works alongside IP, and I like to think a little lower - as you need to have a src/dst IP address, with a specific ICMP type = which is lower than IP in the protocol stack.
So to answer you question - a firewall will allow ALL IP Protocol traffic, which 99.999% of the time that's all anyone wants from a firewall. ICMP has to be specficially alow because it's NOT part of IP Protocol suite - it is it's own protocol in it's own right.