Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
4
Helpful
5
Replies

Not working from Inside to DMZ after configuring the ACL.

Go to solution
jahangeer_abdul
Level 1
Level 1

‎03-14-2007 08:23 AM - edited ‎02-20-2020 09:38 PM

Hi,

As per the concept of ASA, trafuc from inside (Sec 100) to DMZ ( Sec 50) is allowed by default. When I try write some acl (Host to Host block) on the Inside Interface, No other traffic is flowing to and from the Inside Interface.

Everything is blocked. Previously no ACL has been mapped to the Inside Interface.

Kindly help me to resolve this Issue and also provide the document for behaviour of Firewall before and after configuring the ACL.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎03-14-2007 08:30 AM

Post the acl you entered. Remember, there is an explicit deny any any at the end of the acl. So if you only want to prevent access to some dmz machine, then it has to be written properly. Allow what you want to allow to dmz, deny everything else to dmz, then allow everything else.

View solution in original post

0 Helpful

Go to solution
greivin.viquez
Level 1
Level 1

‎03-14-2007 11:48 AM

You are right in terms of the default behave of the ASA as long as there is no ACL on the inside interface, however once there is an ACL this will filter any outgoing traffic. So, if you do not have ACL applied on the inside interface all the traffic will be permitted from a High (100) inteface to a low (50) interface BUT if there is an ACL this will filter ALL the traffic, whatever the values are.....The ACL you create for the inside inteface must permit all the outgoing traffic not only for the internet (outside interface) but also for the DMZ.

Regards,

View solution in original post

0 Helpful
5 Replies 5

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎03-14-2007 08:30 AM

Hi Abdul,

yes,by default ,traffic is allowed from higher sec. zone to the lower one.

But that is when you do not have any access-list on the higher sec. interface.

If you have even a single access-list on the higher sec, interface,then you need to specify all the traffic which you want to allow in the access-lists.

the reason:

there's an implicit deny at the end of the access-list which by default denies the traffic not allowed in the access-list statements above it.

So,either do not put any access-list on the inside interface and everything will be permitted.

if you put even a single statement on the inside interface,the plz specify all the traffic you want to permit and the rest will be denied by the implicit deny at the end.

otherewise,you can deny all the traffic initially and then put a pemrit ip any any in the end .

Hope this helps!!

Sushil

Cisco TAC.

Go to solution
acomiskey
Level 10
Level 10

‎03-14-2007 08:30 AM

Post the acl you entered. Remember, there is an explicit deny any any at the end of the acl. So if you only want to prevent access to some dmz machine, then it has to be written properly. Allow what you want to allow to dmz, deny everything else to dmz, then allow everything else.

0 Helpful

Go to solution
greivin.viquez
Level 1
Level 1

‎03-14-2007 11:48 AM

You are right in terms of the default behave of the ASA as long as there is no ACL on the inside interface, however once there is an ACL this will filter any outgoing traffic. So, if you do not have ACL applied on the inside interface all the traffic will be permitted from a High (100) inteface to a low (50) interface BUT if there is an ACL this will filter ALL the traffic, whatever the values are.....The ACL you create for the inside inteface must permit all the outgoing traffic not only for the internet (outside interface) but also for the DMZ.

Regards,

0 Helpful

Go to solution
jahangeer_abdul
Level 1
Level 1
In response to greivin.viquez

‎03-14-2007 11:28 PM

I have Addedd the following lines on my PIX Firewall.

access-list inside_acl permit icmp any any

access-list inside_acl permit tcp host 172.30.2.184 any eq telnet log

access-list inside_acl deny udp host 172.30.2.88 any eq 135 log

access-list inside_acl deny tcp host 172.30.2.88 any eq 135 log

access-list inside_acl deny udp host 172.30.2.88 any eq 139 log

access-list inside_acl deny tcp host 172.30.2.88 any eq netbios-ssn log

access-group inside_acl in interface inside

(above lines are revoked from the Firewall)

After binding the Lines, every communication from IN to OUT is blocked.

kindly help me to re-solve the Issue and also also find the atachments for more details.

Regards,

Jahangeer A

23952-Configafterchange
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jahangeer_abdul

‎03-15-2007 05:45 AM

Take a look at my first post again. There is an explicit or "hidden" entry that is always the last line in your access-list. It is "deny ip any any". This is blocking everything you have not specifically permitted, like icmp and telnet. If all you want to do is deny what you have in your access-list, add this line to the end of your list.

access-list inside_acl permit ip any any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents