Solved: Re: Access-list on ASA

cisco · ‎02-24-2011

Hi,

I have a question about access-lists on ASA: (5520 running 8.4)

Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.

If I specify the outside-interface as the destination only traffic to the interface itself will be allowed. Any tips on this?

Best regards,

Thor-Egil

PAUL GILBERT ARIAS · ‎02-24-2011

If you don't have NAT for traffic from DMZ to inside you can still have the permit ip any any on the DMZ and still the DMZ traffic should be able to reach the inside networks. If you have NAT (static NAT) you will have to be careful and only allow the necessary, then deny the rest and permit all to the internet.

I hope this helps.

View solution in original post

PAUL GILBERT ARIAS · ‎02-24-2011

If you don't have NAT for traffic from DMZ to inside you can still have the permit ip any any on the DMZ and still the DMZ traffic should be able to reach the inside networks. If you have NAT (static NAT) you will have to be careful and only allow the necessary, then deny the rest and permit all to the internet.

I hope this helps.