cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
0
Helpful
5
Replies

ACL and default traffic flow from higher to lower interface question

Alan Herriman
Level 1
Level 1

Hello all,

This may be a fairly simple question to answer, but I did some searching and couldn't find a good answer. By default ASA's will allow traffic from a high security interface to a lower secuirt interface. Such as the inside(100) to outside(0) and dmz(50) or dmz to outside(0). If you apply an ACL incoming on that interface is the higher to lower interface behavior still present? I want to do some egrees filtering on my dmz interface, but still want it to be able to access the outside network. I want to block my inside interface from being able to access my DMZ at all. Any good suggestions on how to do this?

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

View solution in original post

5 Replies 5

lcambron
Level 3
Level 3

Alan,

The ACL bypasses the high to lower rule.

If you want to block access from inside to DMZ, you can change security level on DMZ to 100.

Or if you want to use ACL.

int g0/1

nameif inside

ip addresses 192.168.1.0 255.255.255.0

int g0/2

nameif dmz

ip address 172.16.0.0 255.255.255.0

access-list name deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list name permit ip any any

access-group name in interface inside

hope this helps,

Felipe.

Hey Felipe,

That does help, but I need clafication on one part. Does the Access-list work along side the default behavior to allow traffic from a higher security interface to a lower secuirty interface or does it replaces that behavior?

Thanks,

Alan

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

Ok thanks for the info!

An example of this would be if my inside interface was 192.168.1.0 and my dmz was 192.168.2.0. I would need a statement like this? static (inside,dmz) 192.168.2.0 192.168.1.0 255.255.255.0

Best Regards,

Alan

Alan,

You can do:

nat (inside) 1 192.168.1.0 255.255.255.0

global (dmz) 1 interface

or

static (inside,dmz) 192.168.1.0 192.168.1.0

Felipe.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card