topic Re: DMZ ACL in Network Security

DMZ ACL

jcw009 — Mon, 11 Mar 2019 16:13:31 GMT

Setting up a new DMZ on my ASA 5520 running 7.2(3). I want to allow by exception into the internal network, but allow everything out to the external network. I'm only using private addresses on the internal network. If I simply have a few permit statements in the acl, followed by deny to 10./8, 172.16/12, 192.168./16, that should cover all of the internal networks that I'm using (subnetted 172.16. & 10. networks), right?

At first I was trying to do a deny statement for each internal network, but that's going to be a pain to implement and maintain.

Thanks!

Re: DMZ ACL

Collin Clark — Tue, 08 Sep 2009 19:48:48 GMT

Yes you can use the masks. You can also group the networks together using an object group to make it even cleaner.

object-group network BLOCK_RFC_1918

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

access-list DMZ extended deny ip any object-group BLOCK_RFC_1918

Hope that helps