Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
2
Replies

Access rules versus security level

Tony Carman
Level 1
Level 1

‎07-26-2012 11:35 AM - edited ‎03-11-2019 04:35 PM

Hi all,

Overview/Facts

Firewall: ASA

Security Level:

Outside - 0

DMZ - 10

Inside - 100

Access Rules in Question (ALL INCOMING):

Outside - implicit any | any | IP | DENY

DMZ - implicit any | any | IP | PERMIT

Inside - implicit any | any | IP | PERMIT

Situation/Confusion

It is my understanding, please correct me if I am wrong, the security level requires that the Inside interface must initiate traffic to the DMZ or Outside interface for traffic to come back in the Inside interface. With that said, I seen the access rule for the Inside interface that is implicit and gives IP permission from any to any.

Question

Wouldn't the fact that the Inside interface has an implicit IP any/any permit access rule totally negate the reasoning behind having a DMZ with a security level of 10 and and Inside interface with a security level of 100? I guess what I am trying to say is, is it a good idea to have this rule? Wouldn't it be more security if you set access rules for specific DMZ appliances that will be talking back to the Inside?

Thanks in advance for your time.

Labels:
0 Helpful
2 Replies 2

alejands
Level 1
Level 1

‎07-26-2012 11:53 AM

Tony,

On the ASA by default without any access list, you will have a implicit permit ip any to any less secure networks.

With this been said by default you will be able to go from DMZ to outisde with no problem, but no to Inside and from Inside to outside or DMZ wiout problem. Just needing NAT.

If you want the DMZ to access you indeed will net to add access rules to be able to do this, you can be more explicit if you want.

To add specific ACL to access on inside.

Hope this will help to answer you question

0 Helpful

Tony Carman
Level 1
Level 1
In response to alejands

‎07-26-2012 12:29 PM

Do you know if it is industry standard to do an implicit any any IP Permit on the incoming Inside interface? It just seems this is less secure than access rules that are more specific like going from Machine A in DMZ to Machine X in Inside LAN. Does that make sense? Thank you for the reply. It helped clarify things.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card