Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
10
Helpful
3
Replies

Do I need a DMZ ACL in this case?

wilson_1234_2
Level 3
Level 3

‎12-10-2013 08:28 AM - edited ‎03-11-2019 08:15 PM

If I have a DMZ (security 10) that I want to put a single appliance in, and I will only be accessing the device from an inside Interface (security) on port 80, I am thinking I don't need an inboud acl on the DMZ interface.

Or, do I have to have one and just have "deny any any" on the acl?

There will never be any access from this appliance to the DMZ anywhere else. I only need to get to it on port 80 from inside.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎12-10-2013 09:06 AM

Hi,

If the device on the DMZ does not need to open connections towards the "inside" but only "outside" then you dont need an ACL on the DMZ interface.

If the "inside" interface also doesnt have ACL then it should be able to connect to the DMZ. Otherwise allow the traffic on the "inside" interface ACL if one is used.

Naturally also have to allow from behind the "outside" if your hosting some service on the DMZ device.

NAT might also play a role but its impossible to say based on the above information.

- Jouni

wilson_1234_2
Level 3
Level 3
In response to Jouni Forss

‎12-11-2013 08:14 AM

Thanks for the reply, I have a nother question that I was wondering also:

I didn't set this up and wouldnt have done it this way, but:

The inside interface is on an isolated interface with a security level of 100.

There is a second interface set up on one of the physical interfaces (not the "inside" interface), and it is located on the inside network as well.

This interface is set up with several logical interfaces and they each have a security level of 100. When I attempt to change the security level of one of the logical interfaces, I get a warning that says:

"Changing the security level of an interface may cause the ASA configuration to become invalid, causing the ASA to drop legal traffic, or allow illegal traffic to pass through. Do you wish to proceed?"

Is this a default warning, and should I be able to change the security level on one logical interface, without affecting the other logical interfaces on the physical interface. I believe I can, but just checking.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-10-2013 09:09 AM

Hello Wilson,

No need bud, if the device that innitiates the connection lives on the higher level interface then the returning traffic will be allowed due to the inspection engine (it's an existing session).

By default this traffic will be denied if innitiated from the DMZ.

If you want to start the traffic from the DMZ then the ACL will be needed but as you said it will never happen you will be fine.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card