https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716873#M557166 <HTML><HEAD></HEAD><BODY><P>if you want to allow internet traffic from the DMZ and deny traffic to the inside you should add the deny statement from DMZ subnet to inside subnert at the beggining on the DMZ ACLs and then add the permit from DMZ to ANY.</P><P></P><P>I hope this helps.</P></BODY></HTML> Mon, 25 Apr 2011 21:58:36 GMT PAUL GILBERT ARIAS 2011-04-25T21:58:36Z https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716872#M557161 <P>Hello all,</P><P><BR />I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.</P><P></P><P>I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside.&nbsp; I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100. </P><P></P><P>What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc... </P><P></P><P>Now, my DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well.&nbsp; Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------&gt; any.&nbsp; This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.&nbsp;&nbsp; </P><P></P><P>My initial thoughts are to permit www / https to the DMZ subnets to any, and to use deny statements at my Inside interface ACL's from the DMZ IP's that I don't want these systems touching, but I'm just looking some opinions on the "right" way to accomplish this.</P><P></P><P>Thanks -</P><P><BR />J</P> Mon, 11 Mar 2019 20:25:23 GMT https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716872#M557161 Jkloza_2 2019-03-11T20:25:23Z https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716873#M557166 <HTML><HEAD></HEAD><BODY><P>if you want to allow internet traffic from the DMZ and deny traffic to the inside you should add the deny statement from DMZ subnet to inside subnert at the beggining on the DMZ ACLs and then add the permit from DMZ to ANY.</P><P></P><P>I hope this helps.</P></BODY></HTML> Mon, 25 Apr 2011 21:58:36 GMT https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716873#M557166 PAUL GILBERT ARIAS 2011-04-25T21:58:36Z https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716874#M557171 <HTML><HEAD></HEAD><BODY><P>Just to add to what Paul has said, if we have a rule to allow just Internet access, it is usually preceeded with an explicit deny to RFC1918 addresses:</P><P></P><P><SPAN style="font-family: courier new,courier;">object-group network RFC1918</SPAN></P><P><SPAN style="font-family: courier new,courier;"> network-object 10.0.0.0 255.0.0.0</SPAN></P><P><SPAN style="font-family: courier new,courier;"> network-object 172.16.0.0 255.240.0.0</SPAN></P><P><SPAN style="font-family: courier new,courier;"> network-object 192.168.0.0 255.255.0.0</SPAN></P><P><SPAN style="font-family: courier new,courier;"><BR /></SPAN></P><P><SPAN style="font-family: courier new,courier;">...<BR /></SPAN></P><P><SPAN style="font-family: courier new,courier;">access-list dmz_acl deny ip any object-group RFC1918</SPAN></P><P><SPAN style="font-family: courier new,courier;">access-list dmz_acl permit tcp object-group DMZ-Net any object-group WEB-PORTS<BR /></SPAN></P><P></P><P>Then you would add any other permits, such as to your inside network, above these lines.</P></BODY></HTML> Tue, 26 Apr 2011 15:18:21 GMT https://community.cisco.com/t5/network-security/asa-questions-best-practices/m-p/1716874#M557171 john.dowson 2011-04-26T15:18:21Z