access list issue

donnie · ‎08-05-2008

Hi all. My cisco asa5510 has 3 interfaces, dmz,internal,external. When i use the asdm to define an access list to allow any traffic from dmz to external, i can see that it not only allows access to external but also my internal although i specifically state external from gui. Why is this so? I specifically state a rule which removes the default implicit rule because i also need to create some rules to allow some dmz servers to access my specific internal servers. Thks in advance.

Marwan ALshawi · ‎08-05-2008

in ASA there somthing called security level

so the higher security level can have access to the lower security level even without acl

if u have proper nating

while the lower security level need permit ACL to go to the higher

so take this into ur consideration

if u wanna control what is accessed from in side to DMZ

make acl on the inside interface in in the inbound direction

and for dmz to inside make it on the DMZ

and so on

good luck

please, if helpful rate

mohsin.khan · ‎08-07-2008

wenbin, your statement is rather confusing. marwanshawi is rite, do consider the security level thing while designing.

From inside to (DMZ or external), there is no need to add any access-list (access from higher security zone to lower security zone is allowed) until & unless you want to block access of internal users to go to DMZ or external.

Same goes with DMZ, from DMZ to external traffic is by default allowed, but from DMZ to internal, you need to define access-lists (going higher security zone to lower).

Make sure that you are using predefined security levels (internal=100, DMZ=50, external=0) to avoid any confusion.