https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975914#M401591 <HTML><HEAD></HEAD><BODY><P>Do you know if it is industry standard to do an implicit any any IP Permit on the incoming Inside interface? It just seems this is less secure than access rules that are more specific like going from Machine A in DMZ to Machine X in Inside LAN. Does that make sense? Thank you for the reply. It helped clarify things.</P></BODY></HTML> Thu, 26 Jul 2012 19:29:01 GMT Tony Carman 2012-07-26T19:29:01Z https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975912#M401586 <P>Hi all,</P><P></P><P><SPAN style="text-decoration: underline;">Overview/Facts</SPAN></P><P></P><P>Firewall: ASA</P><P></P><P>Security Level:</P><P>Outside - 0</P><P>DMZ - 10</P><P>Inside - 100</P><P></P><P>Access Rules in Question (ALL INCOMING):</P><P>Outside - implicit any | any | IP | DENY</P><P>DMZ - implicit any | any | IP | PERMIT</P><P>Inside - implicit any | any | IP | PERMIT</P><P></P><P><SPAN style="text-decoration: underline;">Situation/Confusion</SPAN></P><P></P><P>It is my understanding, please correct me if I am wrong, the security level requires that the Inside interface must initiate traffic to the DMZ or Outside interface for traffic to come back in the Inside interface. With that said, I seen the access rule for the Inside interface that is implicit and gives IP permission from any to any.</P><P></P><P><SPAN style="text-decoration: underline;">Question</SPAN></P><P></P><P>Wouldn't the fact that the Inside interface has an implicit IP any/any permit access rule totally negate the reasoning behind having a DMZ with a security level of 10 and and Inside interface with a security level of 100? I guess what I am trying to say is, is it a good idea to have this rule? Wouldn't it be more security if you set access rules for specific DMZ appliances that will be talking back to the Inside?</P><P></P><P>Thanks in advance for your time.</P> Mon, 11 Mar 2019 23:35:08 GMT https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975912#M401586 Tony Carman 2019-03-11T23:35:08Z https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975913#M401589 <HTML><HEAD></HEAD><BODY><P>Tony,</P><P></P><P>On the ASA by default without any access list, you will have a implicit permit ip any to any less secure networks.</P><P></P><P>With this been said by default you will be able to go from DMZ to outisde with no problem, but no to Inside and from Inside to outside or DMZ wiout problem. Just needing NAT.</P><P></P><P>If you want the DMZ to access you indeed will net to add access rules to be able to do this, you can be more explicit if you want.</P><P></P><P>To add specific ACL to access on inside.</P><P></P><P>Hope this will help to answer you question</P></BODY></HTML> Thu, 26 Jul 2012 18:53:24 GMT https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975913#M401589 alejands 2012-07-26T18:53:24Z https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975914#M401591 <HTML><HEAD></HEAD><BODY><P>Do you know if it is industry standard to do an implicit any any IP Permit on the incoming Inside interface? It just seems this is less secure than access rules that are more specific like going from Machine A in DMZ to Machine X in Inside LAN. Does that make sense? Thank you for the reply. It helped clarify things.</P></BODY></HTML> Thu, 26 Jul 2012 19:29:01 GMT https://community.cisco.com/t5/network-security/access-rules-versus-security-level/m-p/1975914#M401591 Tony Carman 2012-07-26T19:29:01Z