12-10-2013 08:28 AM - edited 03-11-2019 08:15 PM
If I have a DMZ (security 10) that I want to put a single appliance in, and I will only be accessing the device from an inside Interface (security) on port 80, I am thinking I don't need an inboud acl on the DMZ interface.
Or, do I have to have one and just have "deny any any" on the acl?
There will never be any access from this appliance to the DMZ anywhere else. I only need to get to it on port 80 from inside.
12-10-2013 09:06 AM
Hi,
If the device on the DMZ does not need to open connections towards the "inside" but only "outside" then you dont need an ACL on the DMZ interface.
If the "inside" interface also doesnt have ACL then it should be able to connect to the DMZ. Otherwise allow the traffic on the "inside" interface ACL if one is used.
Naturally also have to allow from behind the "outside" if your hosting some service on the DMZ device.
NAT might also play a role but its impossible to say based on the above information.
- Jouni
12-11-2013 08:14 AM
Thanks for the reply, I have a nother question that I was wondering also:
I didn't set this up and wouldnt have done it this way, but:
The inside interface is on an isolated interface with a security level of 100.
There is a second interface set up on one of the physical interfaces (not the "inside" interface), and it is located on the inside network as well.
This interface is set up with several logical interfaces and they each have a security level of 100. When I attempt to change the security level of one of the logical interfaces, I get a warning that says:
"Changing the security level of an interface may cause the ASA configuration to become invalid, causing the ASA to drop legal traffic, or allow illegal traffic to pass through. Do you wish to proceed?"
Is this a default warning, and should I be able to change the security level on one logical interface, without affecting the other logical interfaces on the physical interface. I believe I can, but just checking.
12-10-2013 09:09 AM
Hello Wilson,
No need bud, if the device that innitiates the connection lives on the higher level interface then the returning traffic will be allowed due to the inspection engine (it's an existing session).
By default this traffic will be denied if innitiated from the DMZ.
If you want to start the traffic from the DMZ then the ACL will be needed but as you said it will never happen you will be fine.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: