Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ to access internet

Hello,

I have few servers placed on our DMZ, they all have static NAT, In order to access any port on the internet I need to put an ACL that allows traffic from DMZ to any. Shouldn't the DMZ by default be allowed to access the Internet, it is on higher security side.

Thanks and best regards

WO

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: DMZ to access internet

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

4 REPLIES
New Member

Re: DMZ to access internet

I forgot to mention the firewall is ASA 5520 version 7.0.

New Member

Re: DMZ to access internet

Hi Wajma,

You are correct. By default, any higher security level interface will be able to access the lower security level interface in ASA.

But when you apply any access-list(either permitt or deny ) to DMZ interface ,all other traffic will be blocked from DMZ zone because ASA adds 'deny ip any any' at the end of the access-list automatically. So all other traffic wii be denied except the ones which are implictly permitted.

1) All internet traffic will be permitted from DMZ if u do n't apply any access-list to DMZ

2) If you apply any access-list you need to specify all the allowed traffic from DMZ. All others will be dropped which are not permitted explictly. Remember 'deny ip any any' will be added automatically at the end of the access-list

Regards

Jithesh

New Member

Re: DMZ to access internet

Hi Jithesh,

Thank you for your response, now when I allow http to any on the DMZ interface then, it actually allows http to the internet and the inside network. Then I have to add deny statement after every allow statement to deny access to the internal network. Am I right or there is a better way of doing this.

Thanks you.

New Member

Re: DMZ to access internet

Hi Wajma,

If you permit http traffic to any on the top of the acces-list in the DMZ interface , it allows http to internet as well as inside network.After that even if you deny the unwanted traffic below , that will not be effective. Bcause PIX/ASA will process the access-list in the order & untill the first match comes.

Here you need to deny the unwanted traffic first before you give 'permit ip any any eq http' so that all the specified unwanted traffic will be blocked first. It is a time consuming & not an effective method. Loop holes can occur.

Another effective way of doing this is Policy NAT & Static Policy NAT.

Here we can define the source & destination range addresses which can communicate to another interface in the NAT command itself. Access-list along with these Policy NAT is an effective method.

Please visit the following URL for more info: about this

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jithesh

129
Views
4
Helpful
4
Replies
This widget could not be displayed.