Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help shaping firewall rules:

I have recently started work for a new company and have taken over the ASA 5510 Firewall rules. I have worked with them a bit in the past, but not enough to say I am very strong or a master.

Anyway, after taking a look at the firewall rules, I was horrified with what I found. Basically, the DMZ has full access to the LAN and vice versa.

Talking with the management, I asked if we could change this because this is a huge security concern.

They finally gave me permission, but now I am in a position of:

where do I start?

how do I maximize security?

I am in the process of mapping the servers in the DMZ, what services they run, their IP's and what they need.

Does anyone have some suggestions on how to go about this?

Right now, there is one Windows server and 3 Mac OS X servers in there, hosting FTP and HTTP/HTTPS.

They should only need to come into the LAN to query our DNS server, as well as port 80 to our winupdate server for patches.

Anyone want to help me get started? I feel overwhelemed.



Re: Help shaping firewall rules:

As per your explanation, I understood that DMZ has equal security level as inside (LAN) network. Then, your configuration must contain the command " same-security-traffic permit inter-interface". You should remove this command by saying that "no same-security-traffic permit inter-interface" in the global mode of ASA. Then modify the security level of DMZ slightly lower than inside network. Now, the networks in the DMZ could not access the inside network. As per your requirement, you can put ACL's to allow the needed traffic to come inside into LAN.


Re: Help shaping firewall rules:

Hi Jason,

You may find the following document useful,

The above document shows access to mail server in the DMZ; but I am sure you could modify this with your requirements for your services!

Good luck and hope the above helps a little, if it does please rate posts!!