Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Firewall 9.1 dmz rule

Hi,

i am running a cisco asa 5520 (ver9.1) - i want to add a implicit to less secure networks and deny the rest. how can i do this ?

Thanks                  

3 REPLIES
Super Bronze

Firewall 9.1 dmz rule

Hi,

Can you clarify a bit.

Do you mean that you want to allow the DMZ access to less secure networks and block all other traffic?

The main question in this case would be if you are using ACL in the DMZ interface at the moment?

If you are NOT using ACL in the DMZ interface then the "security-level" value should be enough to to achieve this.

Since you ask about this then I would presume that you already have ACL configured on the interface. If so then this means you will have to configure the ACL in the way that your specifications are met. This is because the "security-level" doesnt really have any meaning after an ACL has been attached to the interface.

If you were to build an ACL to mimic the operation of "security-level" value you could follow the following sample configuration.

object network DMZ-BLOCKED

description Networks blocked for the DMZ

network-object

network-object

network-object

network-object

access-list DMZ-IN remark Deny traffic to more secure networks

access-list DMZ-IN deny ip any object-group DMZ-BLOCKED

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN permit ip any

access-group DMZ-IN in interface dmz

The above example would essentially first group all the networks to which the DMZ is NOT to have access inside an "object-group". This "object-group" would then be used in the DMZ interface ACL as the destination to block traffic to those networks. After this all other traffic would be allowed which would essentially allow outbound Internet connections or connections to LAN networks that WERE NOT specified in the "object-group" we created.

If for some reason you need to allow traffic to more secure networks then you would have to add "permit" statements for those at the TOP of the created ACL (so they dont get blocked by the "deny" statement)

Hope this helps

- Jouni

New Member

Firewall 9.1 dmz rule

for some reason our firewall is messed up. coould you please give me the default rule to say to "permit less secure network" on a dmz interface

Super Bronze

Firewall 9.1 dmz rule

Hi,

Wihtout knowing the exact setup its impossible for me to give any actual specific configuration. More than I have already mentioned above. The above configuration example blocks traffic to more secure networks (that you define in the object-group) and then allows all other traffic that would essentially mean all the less secure networks.

If you want the ASA to do this automatically then the only way would be to purely use "security-level" configurations on the DMZ interface without any interface ACL.

- Jouni

126
Views
0
Helpful
3
Replies
CreatePlease to create content