There's a mobile version of our website.
I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.
I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside. I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
Now, my DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well. Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any. This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.
My initial thoughts are to permit www / https to the DMZ subnets to any, and to use deny statements at my Inside interface ACL's from the DMZ IP's that I don't want these systems touching, but I'm just looking some opinions on the "right" way to accomplish this.
if you want to allow internet traffic from the DMZ and deny traffic to the inside you should add the deny statement from DMZ subnet to inside subnert at the beggining on the DMZ ACLs and then add the permit from DMZ to ANY.
I hope this helps.
Just to add to what Paul has said, if we have a rule to allow just Internet access, it is usually preceeded with an explicit deny to RFC1918 addresses:
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list dmz_acl deny ip any object-group RFC1918
access-list dmz_acl permit tcp object-group DMZ-Net any object-group WEB-PORTS
Then you would add any other permits, such as to your inside network, above these lines.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion