topic Back to back dmz in Network Security

Back to back dmz

EmekaNwokeji1398 — Fri, 30 Jul 2021 16:26:50 GMT

Hello I have two asa firewall switches connected in between a server dmz. One of the switches is configured to allow the dmz to access the internet. But I'm having trouble on the second switch because I want the inside host to be able to talk to the dmz but not have internet access. What is the acl command to do that?

Re: Back to back dmz

Rob Ingram — Fri, 30 Jul 2021 16:36:11 GMT

@EmekaNwokeji1398

Hard to tell without seeing your network topology or configuration, but you just need to be specific in your destination IP/network on the ASA.

object network INSIDE-NET
 subnet 192.168.1.0 255.255.255.0
object network DMZ-SERVER
 host 192.168.10.5
!
access-list ACL extended permit ip object INSIDE-NET object DMZ-SERVER

The example above will permit traffic from the INSIDE network to the DMZ server IP address. Amend accordingly to fit your environment.

Re: Back to back dmz

EmekaNwokeji1398 — Fri, 30 Jul 2021 16:43:46 GMT

Will that allow the inside network to talk to the internet because I want to deny it.

Re: Back to back dmz

Rob Ingram — Fri, 30 Jul 2021 16:46:28 GMT

@EmekaNwokeji1398

No, that will only allow the inside network to communicate with the DMZ server. By default any traffic not specifically permitted will be denied, therefore no internet access.

Re: Back to back dmz

balaji.bandi — Fri, 30 Jul 2021 16:47:31 GMT

Many reasons :

1. is the same IP Address range, if not you need NAT here to get internet

2. you need Access rule to allow new subnet to access internet.

3. routing required depends on network

This is only assumptions and suggestions. Provide more details like small network diagram and IP address information (show run from ASA)

Re: Back to back dmz

EmekaNwokeji1398 — Fri, 30 Jul 2021 16:50:35 GMT

I'm sorry if I didn't put the topology and configurations The reason is because I'm working on classified projects and I'm not trying to get in trouble.

Re: Back to back dmz

EmekaNwokeji1398 — Fri, 30 Jul 2021 17:32:13 GMT

Will the dmz be able to communicate to the inside network because the default security of the dmz is less than the security of inside?

Re: Back to back dmz

Rob Ingram — Fri, 30 Jul 2021 17:38:52 GMT

@EmekaNwokeji1398

If you have an ACL from inside to dmz (like suggested above) and traffic is initiated from the inside network to the dmz, the dmz network will be able to automatically respond.

If the traffic is initiated from the dmz to the inside network, then you will need another ACL to permit the traffic to the inside network.

Re: Back to back dmz

EmekaNwokeji1398 — Fri, 30 Jul 2021 18:08:21 GMT

Okay. What would happen if I had the outside firewall for dmz to outside set the ACL extended permit ip any any will that affect the inside?

Re: Back to back dmz

Rob Ingram — Fri, 30 Jul 2021 18:15:59 GMT

@EmekaNwokeji1398

If that rule is configured inbound on the DMZ interface, then yes the DMZ can communicate with the inside network.

If you intention is to not permit internet access from the inside, configure specific ACLs and ensure you permit exactly what you need. You could also make sure you have no nat rules from inside to outside, if there are no nat rules the inside network cannot hope to communicate with the internet.