topic ASA ACL question in Network Security

ASA ACL question

leowls — Fri, 21 Feb 2020 16:55:52 GMT

With reference to this:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

The acl configured at the end for dmz, why is it being placed inbound rather than outbound in the dmz interface? Shouldn't it be outbound because the traffic is leaving the dmz into the inside interface to access the dns?

Re: ASA ACL question

Rob Ingram — Mon, 11 Mar 2019 13:39:46 GMT

Hi,

The majority of the time an ACL will be applied INbound as packets would originate inbound on the DMZ interface. If you use an outbound ACL then the packets arrive inbound on the DMZ interface, processed for NAT, inspection etc only to be dropped after the ASA has spent more resources processing it.

FYI, an example usage of an OUTbound ACL here.

HTH