Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unexpected access through ACL

Hi,

I'm having a problem that I can't figure out.

To outline a simple setup of our configuration i looks like this:

inside (sec. level 100)

outside (sec. level 0)

dmz (sec. level 20)

Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.

The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?

Maybe it has something to do with the nat excemt, or it might just be default behaviour?

Thanks in advance,

Rasmus

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Unexpected access through ACL

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

3 REPLIES
Hall of Fame Super Blue

Re: Unexpected access through ACL

Rasmus

That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?

For traffic to flow from a lower to a higher security you need 2 things -

1) NAT - which you have taken care of with your exemption

2) an access-list allowing that traffic - which you have done.

If you want to stop this either

1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)

2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.

access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any

where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.

Jon

New Member

Re: Unexpected access through ACL

Hi Jon,

Thanks for your reply.

OK. I just thought that "any-traffic" from a lower sec. to a higher. didn't get through.

I will follow your advice number 2.

Thanks again.

Rasmus

New Member

Re: Unexpected access through ACL

That is exactly what the access list does. Traffic from lower to higher will no flow automatically, you'll need an ACL.

Without ACL, traffic from high to low works (might need NAT), from low to high is blocked.

109
Views
0
Helpful
3
Replies
CreatePlease to create content