05-15-2012 10:00 AM - edited 03-11-2019 04:07 PM
Hello all,
This may be a fairly simple question to answer, but I did some searching and couldn't find a good answer. By default ASA's will allow traffic from a high security interface to a lower secuirt interface. Such as the inside(100) to outside(0) and dmz(50) or dmz to outside(0). If you apply an ACL incoming on that interface is the higher to lower interface behavior still present? I want to do some egrees filtering on my dmz interface, but still want it to be able to access the outside network. I want to block my inside interface from being able to access my DMZ at all. Any good suggestions on how to do this?
Thanks in advance!
Solved! Go to Solution.
05-15-2012 12:38 PM
Alan,
The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.
Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.
This is only until version 8.2
Felipe.
05-15-2012 11:14 AM
Alan,
The ACL bypasses the high to lower rule.
If you want to block access from inside to DMZ, you can change security level on DMZ to 100.
Or if you want to use ACL.
int g0/1
nameif inside
ip addresses 192.168.1.0 255.255.255.0
int g0/2
nameif dmz
ip address 172.16.0.0 255.255.255.0
access-list name deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list name permit ip any any
access-group name in interface inside
hope this helps,
Felipe.
05-15-2012 12:09 PM
Hey Felipe,
That does help, but I need clafication on one part. Does the Access-list work along side the default behavior to allow traffic from a higher security interface to a lower secuirty interface or does it replaces that behavior?
Thanks,
Alan
05-15-2012 12:38 PM
Alan,
The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.
Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.
This is only until version 8.2
Felipe.
05-15-2012 12:56 PM
Ok thanks for the info!
An example of this would be if my inside interface was 192.168.1.0 and my dmz was 192.168.2.0. I would need a statement like this? static (inside,dmz) 192.168.2.0 192.168.1.0 255.255.255.0
Best Regards,
Alan
05-15-2012 02:15 PM
Alan,
You can do:
nat (inside) 1 192.168.1.0 255.255.255.0
global (dmz) 1 interface
or
static (inside,dmz) 192.168.1.0 192.168.1.0
Felipe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide