Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question

As I have muddled through setting up and working on a firewall, I have a couple questions:

1. When you create a inbound (incoming) rule (for example permitting http traffic) from a lower security interface (DMZ) to a higher security interface (inside), do you need to have a rule on the 'inside' interface in the outbound direction to allow the http traffic through? Or does the incoming rule on the lower security interface (DMZ) take care of that? Maybe my question is really, is there an implied outgoing ACL on the inside interface that would stopped traffic coming from a DMZ interface?

2. When you apply rules to an interface, where is the best place to apply them - incoming or outgoing? I am assuming closest to the sending device correct?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Question

"access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"

If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.

"or a lower security interface for that matter)"

yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.

"Sorry for all the questions, I just want to be sure I have a clear understanding."

No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want :-)

Jon

6 REPLIES
Hall of Fame Super Blue

Re: Question

1) A firewall such as the pix/ASA is stateful so if you allow traffic through from a lower to higher security interface then the return traffic is automatically allowed. Note that this applies to TCP/UDP and now ICMP.

But for example if you wanted to allow GRE through your firewall you would need to allow it both ways as it is not stateful.

However TCP/UDP account for the vast majority of traffic and things like GRE are the exception rather than the rule.

2) As close to source as possible is best so usually acl's are applied in an inbound direction.

Jon

New Member

Re: Question

And just to be clear, there is no implicit ACL in an outbound direction is you don't specifically have one applied?

Hall of Fame Super Blue

Re: Question

There is no implict acl in any direction from a higher to a lower security interface ie. traffic will be allowed by default from a higher to lower security interface.

Jon

New Member

Re: Question

And from a lower (DMZ) to a higher interface (inside), as long as there is an incoming rule on the lower interface (DMZ) that allows the traffic through, it will be able to access devices on the higher security interface.

So this:

access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?

Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.

New Member

Re: Question

And from a lower (DMZ) to a higher interface (inside), as long as there is an incoming rule on the lower interface (DMZ) that allows the traffic through, it will be able to access devices on the higher security interface.

So this:

access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?

Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.

Hall of Fame Super Blue

Re: Question

"access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"

If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.

"or a lower security interface for that matter)"

yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.

"Sorry for all the questions, I just want to be sure I have a clear understanding."

No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want :-)

Jon

126
Views
0
Helpful
6
Replies
CreatePlease to create content