Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Do I need a DMZ ACL in this case?

If I have a DMZ (security 10) that I want to put a single appliance in, and I will only be accessing the device from an inside Interface (security) on port 80, I am thinking I don't need an inboud acl on the DMZ interface.

Or, do I have to have one and just have "deny any any" on the acl?

There will never be any access from this appliance to the DMZ anywhere else. I only need to get to it on port 80 from inside.

Super Bronze

Do I need a DMZ ACL in this case?


If the device on the DMZ does not need to open connections towards the "inside" but only "outside" then you dont need an ACL on the DMZ interface.

If the "inside" interface also doesnt have ACL then it should be able to connect to the DMZ. Otherwise allow the traffic on the "inside" interface ACL if one is used.

Naturally also have to allow from behind the "outside" if your hosting some service on the DMZ device.

NAT might also play a role but its impossible to say based on the above information.

- Jouni

New Member

Do I need a DMZ ACL in this case?

Thanks for the reply, I have a nother question that I was wondering also:

I didn't set this up and wouldnt have done it this way, but:

The inside interface is on an isolated interface with a security level of 100.

There is a second interface set up on one of the physical interfaces (not the "inside" interface), and it is located on the inside network as well.

This interface is set up with several logical interfaces and they each have a security level of 100. When I attempt to change the security level of one of the logical interfaces, I get a warning that says:

"Changing the security level of an interface may cause the ASA configuration to become invalid, causing the ASA to drop legal traffic, or allow illegal traffic to pass through. Do you wish to proceed?"

Is this a default warning, and should I be able to change the security level on one logical interface, without affecting the other logical interfaces on the physical interface. I believe I can, but just checking.

Do I need a DMZ ACL in this case?

Hello Wilson,

No need bud, if the device that innitiates the connection lives on the higher level interface then the returning traffic will be allowed due to the inspection engine (it's an existing session).

By default this traffic will be denied if innitiated from the DMZ.

If you want to start the traffic from the DMZ then the ACL will be needed but as you said it will never happen you will be fine.

Rate all of the helpful posts!!!



Follow me on

Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease login to create content