07-26-2012 11:35 AM - edited 03-11-2019 04:35 PM
Hi all,
Overview/Facts
Firewall: ASA
Security Level:
Outside - 0
DMZ - 10
Inside - 100
Access Rules in Question (ALL INCOMING):
Outside - implicit any | any | IP | DENY
DMZ - implicit any | any | IP | PERMIT
Inside - implicit any | any | IP | PERMIT
Situation/Confusion
It is my understanding, please correct me if I am wrong, the security level requires that the Inside interface must initiate traffic to the DMZ or Outside interface for traffic to come back in the Inside interface. With that said, I seen the access rule for the Inside interface that is implicit and gives IP permission from any to any.
Question
Wouldn't the fact that the Inside interface has an implicit IP any/any permit access rule totally negate the reasoning behind having a DMZ with a security level of 10 and and Inside interface with a security level of 100? I guess what I am trying to say is, is it a good idea to have this rule? Wouldn't it be more security if you set access rules for specific DMZ appliances that will be talking back to the Inside?
Thanks in advance for your time.
07-26-2012 11:53 AM
Tony,
On the ASA by default without any access list, you will have a implicit permit ip any to any less secure networks.
With this been said by default you will be able to go from DMZ to outisde with no problem, but no to Inside and from Inside to outside or DMZ wiout problem. Just needing NAT.
If you want the DMZ to access you indeed will net to add access rules to be able to do this, you can be more explicit if you want.
To add specific ACL to access on inside.
Hope this will help to answer you question
07-26-2012 12:29 PM
Do you know if it is industry standard to do an implicit any any IP Permit on the incoming Inside interface? It just seems this is less secure than access rules that are more specific like going from Machine A in DMZ to Machine X in Inside LAN. Does that make sense? Thank you for the reply. It helped clarify things.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide