Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ to "outside only" traffic

Hello all.

This is my first time on this board and I'm also quite new to ASA, so I apologize if I have a too simple question.

I have a classical "inside + DMZ + outside" configuration.

I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.

If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).

I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.

I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.

Could any of you help me with this problem?

Really thank you all for your help.

Giovanni

P.S.: I'm using a 5510 machine running version 8.2

1 ACCEPTED SOLUTION

Accepted Solutions
Green

DMZ to "outside only" traffic

The way to do what you want is with an access list. There is no way to tell the ASA to filter on traffic going to the inside but allow everything going to the outside (well....other than the access list). So, permit what you want to permit to the inside, deny everything else to the inside, then allow anything else.

4 REPLIES
Green

DMZ to "outside only" traffic

You must first deny traffic to the inside, then allow traffic to everything else. The ASA will process the access list from the top down and stop at the first match.

access-list dmz extended deny ip any

access-list dmz extended permit ip any any

access-group dmz in interface dmz

You should also know that by default, the ASA will allow all traffic from a higher security level interface to a lower security level interface. It will also block by default traffic from a lower security interface to a higher security level interface. So if your outside is 0, inside is 100, and dmz is 50, the ASA will do by default what you are writing an access list for.

New Member

DMZ to "outside only" traffic

I know that, by default, traffic from a less secure interface to a more secure interface isn't allowed.

But sunce I'm forced to allow traffic to "any"...

I also know I could deny traffic to the inside or however manage it with an access list, and then allow traffic to any.

But, is it possible there isn't a way to simply allow the traffic routed through out the outside interface?

Besides, the mail machines in DMZ (ironport) also need to make traffic with the internal network.

They need to send/receive traffic with the internal mail boxes (ms exchange), they also need internal DNS resolution and they need to be reached from the internal network for management.

I have many internal networks to allow/deny/manage using this approach...

If there isn't another way... I'm going to prepare the access list. :-(

Really  thank you for your help.

Giovanni

Green

DMZ to "outside only" traffic

The way to do what you want is with an access list. There is no way to tell the ASA to filter on traffic going to the inside but allow everything going to the outside (well....other than the access list). So, permit what you want to permit to the inside, deny everything else to the inside, then allow anything else.

New Member

DMZ to "outside only" traffic

Is not possbile to select traffic depending on the outgoing interface...

Ok, I already prepared the ACL :-(

Thank you for you help.

Giovanni

540
Views
0
Helpful
4
Replies