https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506643#M611007 <P>Hi,</P><P></P><P>Im a little confused about the logic of this rule on the ASA 5510, basically i have the following interfaces set to the following security levels:</P><P></P><P>Inside: 100</P><P>DMZ: 4</P><P>Outside: 0</P><P></P><P>The DMZ has a rule by default which allows any traffic to a less secure network, but when i add a rule on that interface so that the dmz can push limited traffic to the inside network for our exchange server it disapears.&nbsp; Does this mean that now that rule has gone if i want that interface to have internet access via the outside interface i have to add a rule in?&nbsp; or will it still allow traffic to lower interfaces?&nbsp; if not is there anyway to add the rule back in and have additional rules on an interface to a higher security interface?</P><P></P><P>Hope that makes sense.</P><P></P><P>Thanks in advance for the help</P><P></P><P>David</P> Mon, 11 Mar 2019 18:43:17 GMT David Shearing 2019-03-11T18:43:17Z https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506643#M611007 <P>Hi,</P><P></P><P>Im a little confused about the logic of this rule on the ASA 5510, basically i have the following interfaces set to the following security levels:</P><P></P><P>Inside: 100</P><P>DMZ: 4</P><P>Outside: 0</P><P></P><P>The DMZ has a rule by default which allows any traffic to a less secure network, but when i add a rule on that interface so that the dmz can push limited traffic to the inside network for our exchange server it disapears.&nbsp; Does this mean that now that rule has gone if i want that interface to have internet access via the outside interface i have to add a rule in?&nbsp; or will it still allow traffic to lower interfaces?&nbsp; if not is there anyway to add the rule back in and have additional rules on an interface to a higher security interface?</P><P></P><P>Hope that makes sense.</P><P></P><P>Thanks in advance for the help</P><P></P><P>David</P> Mon, 11 Mar 2019 18:43:17 GMT https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506643#M611007 David Shearing 2019-03-11T18:43:17Z https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506644#M611009 <HTML><HEAD></HEAD><BODY><P>As access-list is analysed top to bottom, here is what you would need to configure to achieve your requirement:</P><P></P><P>access-list <DMZ-ACL-NAME> permit tcp <DMZ-SUBNET> <MASK> host <EXCHANGE-SERVER> eq <PORT-FOR-EXCHANGE></PORT-FOR-EXCHANGE></EXCHANGE-SERVER></MASK></DMZ-SUBNET></DMZ-ACL-NAME></P><P>access-list <DMZ-ACL-NAME> deny ip <DMZ-SUBNET> <MASK> <INSIDE-SUBNET> <MASK></MASK></INSIDE-SUBNET></MASK></DMZ-SUBNET></DMZ-ACL-NAME></P><P>access-list <DMZ-ACL-NAME> permit ip <DMZ-SUBNET> <MASK> any</MASK></DMZ-SUBNET></DMZ-ACL-NAME></P><P></P><P>So basically you would need to configure traffic that you would like to allow from dmz towards inside first, then ACL to deny traffic from dmz towards inside, and lastly to allow traffic from dmz to internet.</P><P></P><P>Hope that helps.</P></BODY></HTML> Wed, 22 Sep 2010 07:13:40 GMT https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506644#M611009 Jennifer Halim 2010-09-22T07:13:40Z https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506645#M611011 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>That more than answers the question.&nbsp; Thanks very much for the help.</P><P></P><P>David</P></BODY></HTML> Wed, 22 Sep 2010 10:24:48 GMT https://community.cisco.com/t5/network-security/any-less-secure-network-rule/m-p/1506645#M611011 David Shearing 2010-09-22T10:24:48Z