https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950174#M1105422 <P>Hello,</P><P>Referring cisco document on <STRONG><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html#:~:text=Access%20Control%20Lists%20(Access%2Dlists,to%20that%20lower%20security%20interface." target="_self">NAT</A></STRONG> i would like to know why the acl direction is "dmz_acl <STRONG>in</STRONG> interface dmz" rather than "dmz_acl <STRONG>out</STRONG> interface dmz" as the communication is from DMZ to INSIDE</P><P>&nbsp;</P><PRE>object network dns-server<BR /> host 192.168.0.53<BR />!<BR />access-list dmz_acl extended permit udp any object dns-server eq domain<BR />access-list dmz_acl extended deny ip any object inside-subnet<BR />access-list dmz_acl extended permit ip any any<BR />!<BR />access-group dmz_acl in interface dmz</PRE><P>&nbsp;</P> Sun, 29 Oct 2023 08:44:23 GMT sonyscaria 2023-10-29T08:44:23Z https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950174#M1105422 <P>Hello,</P><P>Referring cisco document on <STRONG><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html#:~:text=Access%20Control%20Lists%20(Access%2Dlists,to%20that%20lower%20security%20interface." target="_self">NAT</A></STRONG> i would like to know why the acl direction is "dmz_acl <STRONG>in</STRONG> interface dmz" rather than "dmz_acl <STRONG>out</STRONG> interface dmz" as the communication is from DMZ to INSIDE</P><P>&nbsp;</P><PRE>object network dns-server<BR /> host 192.168.0.53<BR />!<BR />access-list dmz_acl extended permit udp any object dns-server eq domain<BR />access-list dmz_acl extended deny ip any object inside-subnet<BR />access-list dmz_acl extended permit ip any any<BR />!<BR />access-group dmz_acl in interface dmz</PRE><P>&nbsp;</P> Sun, 29 Oct 2023 08:44:23 GMT https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950174#M1105422 sonyscaria 2023-10-29T08:44:23Z https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950191#M1105424 <P>The direction is depend on source and destiantion.</P> <P>Here I see any to server in DMZ so the direction must be IN</P> Sun, 29 Oct 2023 10:28:20 GMT https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950191#M1105424 MHM Cisco World 2023-10-29T10:28:20Z https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950194#M1105425 <P>Thank you for the response, here the DMZ is accessing dns host on inside...so the direction is DMZ to INSIDE</P><P><SPAN>From the document ..</SPAN></P><P>What about traffic from the DMZ&nbsp;segment destined to hosts on the inside network segment? For example, a server on the inside network that the hosts on the DMZ&nbsp;need to connect to. How can the ASA allow only that specific traffic destined to the inside server and block everything else destined to the inside segment from the DMZ?</P><P>In this example it is assumed that there is a DNS server on the inside network at IP address 192.168.0.53 that the hosts on the DMZ&nbsp;need to access for DNS resolution. You create the ACL needed and apply it to the DMZ&nbsp;interface so the ASA can override that default security behavior, mentioned earlier, for traffic that enters that interface.</P><P>Here is what those configuration commands look like:</P><PRE>object network dns-server<BR /> host 192.168.0.53<BR />!<BR />access-list dmz_acl extended permit udp any object dns-server eq domain<BR />access-list dmz_acl extended deny ip any object inside-subnet<BR />access-list dmz_acl extended permit ip any any<BR />!<BR />access-group dmz_acl in interface dmz</PRE><P>&nbsp;</P> Sun, 29 Oct 2023 10:52:51 GMT https://community.cisco.com/t5/network-security/acl-direction-on-asa-interface/m-p/4950194#M1105425 sonyscaria 2023-10-29T10:52:51Z