04-18-2013 06:56 AM - edited 03-11-2019 06:31 PM
I have a group of servers in the DMZ that need to communicate with servers in the inside network as well as the outside network, where would be the best place to place an ACL to acommplish this?
1. DMZ interface inbound?
2. DMZ interface outbound?
3. neither
I would add more to the question
WebServer1 (dmz) needs to communicate to a DBServer1 and DomainController1 in the (inside) in order to server requests to the (outside)
Thanks,
Delmiro
Solved! Go to Solution.
04-18-2013 09:44 AM
Hi,
Well every environment is a bit different. So you might have different ideas on what traffic you want to allow.
Generally though the DMZ would be a network segment that should only be accessible from the OUTSIDE on certain ports. Likewise the DMZ should be a network segment that has very limited access to your INSIDE network so in an event that the DMZ server get "infected" there would be minimal risk to your INSIDE network segment and the problem would be somewhat limited to your DMZ segment.
Naturally if we are talking about segment which doesnt have anything to do with the OUTSIDE network then the ACL rules could again be a bit different.
There are also customer that simply insist on leaving everything open even if its suggested that the traffic should be controlled.
At its simplest you could consider the following situation
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
object-group network DMZ-DNS
network-object host 8.8.8.8
network-object host 8.8.4.4
object-group network DMZ-SMTP
network-object host x.x.x.x
network-object host y.y.y.y
access-list DMZ-IN remark Deny DMZ -> INSIDE
access-list DMZ-IN deny ip any object-group LAN-NETWORKS
access-list DMZ-IN remark Allow DNS
access-list DMZ-IN permit udp 192.168.10.0 255.255.255.0 object-group DMZ-DNS eq domain
access-list DMZ-IN remark Allow SMTP
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 object-group DMZ-SMTP eq smtp
access-list DMZ-IN remark Allow HTTP / HTTPS / FTP
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq http
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list DMZ-IN remark Deny DMZ -> ANY
access-list DMZ-IN deny ip any any
access-group DMZ-IN in interface dmz
The above is a really simple example
Naturally when you need to open traffic to some LAN server or host, you would then add "permit" statements at the very top of the created ACL so they would override on their part the "deny" statement currently at the top of the ACL.
Also the rules could be DMZ server specific also. You might only allow certain servers to access the mentioned services on the OUTSIDE and block all others.
As I said it depends on the situation.
- Jouni
04-18-2013 07:03 AM
Hi,
I would suggest using an ACL on each interface and using the inbound direction.
This is atleast my personal preference and has always been.
It seems to me the clearest when you control the traffic entering from certain network segment (inbound) rather than controlling traffic thats already come from some network segment and is now trying to head to another network segment (outbound)
If you need some specific configuration help then we might need to see the current ASA configuration to see for example if some NAT configurations are required netween the DMZ and INSIDE to enable connections between them
- Jouni
04-18-2013 07:14 AM
Thanks Jouni for your answer, it makes sense to do the ACL inbound after reading your explanation. Do you normally have an inbound ACL for your inside interface as well? I already have one inbound for my outside interface.
Thanks,
Delmiro
04-18-2013 07:31 AM
Hi,
I tend to personally configure an ACL for every LAN/DMZ interface protected by the firewall. Even if they were used to allow all traffic. All ACLs are also configured in "inbound" direction.
Naturally the "outside" interface only requires an ACL if you are going to host some services to the Internet from your LAN. It might also be usefull in situations where you are not hosting any service but want to allow some ICMP traffic through "outside" so that for example Traceroute and other ICMP related things work correctly.
You dont necesarily need an ACL on the "inside" interface since your other interface are most likely lower "security-level" than the "inside" interface so traffic would be by default allowed from "inside" to any other interface on the ASA.
Personally I just find it more clear to have an ACL on every interface so I know exactly whats allowed and dont have to care about the "security-level" values.
Remember to mark the question as answered, that is if some reply did answer your question
Naturally ask more if needed
- Jouni
04-18-2013 08:22 AM
Thanks Jouni, I do have one last question again thanks for helping. do you have any samples that I can use as a reference for access list DMZ and Inside interface, I do also want to use ACL the same way you are suggesting and not relay on the security-levels values.
04-18-2013 09:44 AM
Hi,
Well every environment is a bit different. So you might have different ideas on what traffic you want to allow.
Generally though the DMZ would be a network segment that should only be accessible from the OUTSIDE on certain ports. Likewise the DMZ should be a network segment that has very limited access to your INSIDE network so in an event that the DMZ server get "infected" there would be minimal risk to your INSIDE network segment and the problem would be somewhat limited to your DMZ segment.
Naturally if we are talking about segment which doesnt have anything to do with the OUTSIDE network then the ACL rules could again be a bit different.
There are also customer that simply insist on leaving everything open even if its suggested that the traffic should be controlled.
At its simplest you could consider the following situation
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
object-group network DMZ-DNS
network-object host 8.8.8.8
network-object host 8.8.4.4
object-group network DMZ-SMTP
network-object host x.x.x.x
network-object host y.y.y.y
access-list DMZ-IN remark Deny DMZ -> INSIDE
access-list DMZ-IN deny ip any object-group LAN-NETWORKS
access-list DMZ-IN remark Allow DNS
access-list DMZ-IN permit udp 192.168.10.0 255.255.255.0 object-group DMZ-DNS eq domain
access-list DMZ-IN remark Allow SMTP
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 object-group DMZ-SMTP eq smtp
access-list DMZ-IN remark Allow HTTP / HTTPS / FTP
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq http
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list DMZ-IN remark Deny DMZ -> ANY
access-list DMZ-IN deny ip any any
access-group DMZ-IN in interface dmz
The above is a really simple example
Naturally when you need to open traffic to some LAN server or host, you would then add "permit" statements at the very top of the created ACL so they would override on their part the "deny" statement currently at the top of the ACL.
Also the rules could be DMZ server specific also. You might only allow certain servers to access the mentioned services on the OUTSIDE and block all others.
As I said it depends on the situation.
- Jouni
04-18-2013 11:34 AM
You're amazing Jouni! thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: