https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159302#M877904 <P>Hi,</P><P></P><P>I'm having a problem that I can't figure out.</P><P></P><P>To outline a simple setup of our configuration i looks like this:</P><P></P><P>inside (sec. level 100)</P><P>outside (sec. level 0)</P><P>dmz (sec. level 20)</P><P></P><P>Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.</P><P></P><P>The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?</P><P></P><P>Maybe it has something to do with the nat excemt, or it might just be default behaviour?</P><P></P><P>Thanks in advance,</P><P>Rasmus</P> Mon, 11 Mar 2019 14:34:31 GMT blueoceanventure 2019-03-11T14:34:31Z https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159302#M877904 <P>Hi,</P><P></P><P>I'm having a problem that I can't figure out.</P><P></P><P>To outline a simple setup of our configuration i looks like this:</P><P></P><P>inside (sec. level 100)</P><P>outside (sec. level 0)</P><P>dmz (sec. level 20)</P><P></P><P>Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.</P><P></P><P>The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?</P><P></P><P>Maybe it has something to do with the nat excemt, or it might just be default behaviour?</P><P></P><P>Thanks in advance,</P><P>Rasmus</P> Mon, 11 Mar 2019 14:34:31 GMT https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159302#M877904 blueoceanventure 2019-03-11T14:34:31Z https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159303#M877905 <HTML><HEAD></HEAD><BODY><P>Rasmus</P><P></P><P>That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?</P><P></P><P>For traffic to flow from a lower to a higher security you need 2 things - </P><P></P><P>1) NAT - which you have taken care of with your exemption</P><P></P><P>2) an access-list allowing that traffic - which you have done. </P><P></P><P>If you want to stop this either </P><P></P><P>1) remove the acl from the dmz interface (altho you may be using this acl for other reasons) </P><P></P><P>2) deny traffic from the dmz to the inside in your access-list first and then permit any eg. </P><P></P><P>access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0 </P><P>access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any</P><P></P><P>where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.</P><P></P><P>Jon</P><P></P><P></P></BODY></HTML> Thu, 08 Jan 2009 14:59:04 GMT https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159303#M877905 Jon Marshall 2009-01-08T14:59:04Z https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159304#M877908 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>Thanks for your reply.</P><P></P><P>OK. I just thought that "any-traffic" from a lower sec. to a higher. didn't get through.</P><P></P><P>I will follow your advice number 2.</P><P></P><P>Thanks again.</P><P>Rasmus</P></BODY></HTML> Fri, 09 Jan 2009 11:29:27 GMT https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159304#M877908 blueoceanventure 2009-01-09T11:29:27Z https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159305#M877909 <HTML><HEAD></HEAD><BODY><P>That is exactly what the access list does. Traffic from lower to higher will no flow automatically, you'll need an ACL. </P><P></P><P>Without ACL, traffic from high to low works (might need NAT), from low to high is blocked.</P></BODY></HTML> Mon, 12 Jan 2009 09:52:05 GMT https://community.cisco.com/t5/network-security/unexpected-access-through-acl/m-p/1159305#M877909 marcelnjkoks 2009-01-12T09:52:05Z