08-05-2008 12:18 PM - edited 03-03-2019 11:02 PM
Hi all. My cisco asa5510 has 3 interfaces, dmz,internal,external. When i use the asdm to define an access list to allow any traffic from dmz to external, i can see that it not only allows access to external but also my internal although i specifically state external from gui. Why is this so? I specifically state a rule which removes the default implicit rule because i also need to create some rules to allow some dmz servers to access my specific internal servers. Thks in advance.
08-05-2008 10:45 PM
in ASA there somthing called security level
so the higher security level can have access to the lower security level even without acl
if u have proper nating
while the lower security level need permit ACL to go to the higher
so take this into ur consideration
if u wanna control what is accessed from in side to DMZ
make acl on the inside interface in in the inbound direction
and for dmz to inside make it on the DMZ
and so on
good luck
please, if helpful rate
08-07-2008 06:33 AM
wenbin, your statement is rather confusing. marwanshawi is rite, do consider the security level thing while designing.
From inside to (DMZ or external), there is no need to add any access-list (access from higher security zone to lower security zone is allowed) until & unless you want to block access of internal users to go to DMZ or external.
Same goes with DMZ, from DMZ to external traffic is by default allowed, but from DMZ to internal, you need to define access-lists (going higher security zone to lower).
Make sure that you are using predefined security levels (internal=100, DMZ=50, external=0) to avoid any confusion.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: