topic So your rule basically means in Network Security

Cisco ASA firewall policy from DMZ to Outside interface not working

Roger De Couto — Tue, 12 Mar 2019 08:51:30 GMT

Hi Guys,

I'm new to ASA firewall's and would appreciate if someone can point me in the right direction with a firewall rule.

I've configured a firewall policy to allow the DMZ network access to the internet.

However, I can only get this policy to permit traffic destined to the internet from a host in the DMZ if I set the Destination to 'any' in the rules. It does not work when I change the Destination to 'Outbound' interface, and I don't understand why it won't work.

Please see attachment.

I don't want to leave the Destination to 'any' because I only want the DMZ network to access the internet, hence I want to set the Destination to 'Outbound' interface somehow, or look for a work around.

Note: Disregard rule 1

Thanks.

So your rule basically means

Rahul Govindan — Tue, 31 Jan 2017 13:30:59 GMT

So your rule basically means that if the DMZ interface sees any packet INBOUND with source as DMZ-network and destination as 'any', it will allow it to hit the ASA. This allows the DMZ-network to send traffic to any destination (internet). This is correct. Setting the destination to 'Outside' interface says that the DMZ-network is allowed to talk to the outside interface.

If you want to block access from 'Internet' to 'DMZ', this is done by default as the ASA does not allow traffic from a lower to higher security level without adding an ACL specifically.

I think you might be

Marius Gunnerud — Tue, 31 Jan 2017 18:12:36 GMT

I think you might be confusing access-list rules with NAT rules. The access rule spesifies which source IP the ASA should expect to see on the interface the the ACL is assigned to, while destination specifies which IP that source address is allowed to talk to, and the then again the port is which port the source is allowed to talk to the destination on. So setting the destination in the ACL rule to Any is a requirement to allow for internet access.

In the NAT rule you can specify that a given subnet or IP will be translated to the outside interface IP so to hide the real IP behind the ASA. Depending on how you have configured your ASA, traffic will by default be denied on the outside interface unless explicitly permitted.

Please remember to select a correct answer and rate helpful posts