ACL direction on ASA interface

sonyscaria · ‎10-29-2023

Hello,

Referring cisco document on NAT i would like to know why the acl direction is "dmz_acl in interface dmz" rather than "dmz_acl out interface dmz" as the communication is from DMZ to INSIDE

object network dns-server
 host 192.168.0.53
!
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
access-group dmz_acl in interface dmz

MHM Cisco World · ‎10-29-2023

The direction is depend on source and destiantion.

Here I see any to server in DMZ so the direction must be IN

sonyscaria · ‎10-29-2023

Thank you for the response, here the DMZ is accessing dns host on inside...so the direction is DMZ to INSIDE

From the document ..

What about traffic from the DMZ segment destined to hosts on the inside network segment? For example, a server on the inside network that the hosts on the DMZ need to connect to. How can the ASA allow only that specific traffic destined to the inside server and block everything else destined to the inside segment from the DMZ?

In this example it is assumed that there is a DNS server on the inside network at IP address 192.168.0.53 that the hosts on the DMZ need to access for DNS resolution. You create the ACL needed and apply it to the DMZ interface so the ASA can override that default security behavior, mentioned earlier, for traffic that enters that interface.

Here is what those configuration commands look like:

object network dns-server
 host 192.168.0.53
!
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
access-group dmz_acl in interface dmz