Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
3
Replies

ACL with Security levels in an ASA 5520

Go to solution
Joan Perez Esteban
Cisco Employee
Cisco Employee

‎05-07-2013 06:25 AM - edited ‎03-11-2019 06:39 PM

Hi,

I went through similar posts to this one but I didn't find the answer I am looking for. I'll explain what I am trying to do:

I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?

If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.

Thanks in advance,

Juan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Joan Perez Esteban

‎05-07-2013 07:04 AM

Hi,

I've personally now configured firewalls around 5 years. I have never had any use for the "security-level" values since I have always used ACLs to control the traffic between local interfaces and towards the Internet.

If you want to build a simple ACL for DMZ where it would be allow Internet traffic but block it from connecting to the "inside" networks then you could simply use

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

access-list DMZ-IN remark Block all traffic to Internet Networks

access-list DMZ-IN deny ip any object-group LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN permit ip any

access-group DMZ-IN in interface dmz

That is what the simplest ACL could look like. It would block DMZ hosts from initiating connection to the LAN-NETWORKS. But at the same time allow traffic to the Internet.

In a normal situation you might limit the connectivity of the DMZ servers so even they cannot connect to anywhere on the Internet.

To my understanding the "inspect" are done after the ACL check when connections are coming towards the ASA firewall. As long as the traffic is allowed the traffic should also hit the "inspect" rules configured.

Remember to mark the question as answered if it did and/or rate helpfull answers.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-07-2013 06:32 AM

Hi,

As soon as you configure an ACL and attach it to an interface then that interfaces "security-level" loses its meaning when controlling traffic

I would suggest changing the "inside" "security-level" to 100 just to keep it different from the "outside". This is because if you were to enter a command that allows traffic between same security-level interfaces all traffic from outside could flow to the "inside" network. (Provided routing and NAT made this possible)

I would suggest going with ACL on each interface. Trying to use "security-level" to control traffic is an endless maze and doesnt really other then the very basic setups.

- Jouni

0 Helpful

Go to solution
Joan Perez Esteban
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎05-07-2013 06:51 AM

Yes, sorry my inside zone is 100, and before adding an ACL in the DMZ traffic was flowing as expected, but just one ACL messed it all, I was using ASDM and the implicit rule from higher level to lower one disapeared to just keeping the ACL.

Honestly I was very surprised to see that zone filtering provided by the security level dissapeared once you configure an acl, so are you saying that zone filtering is not possible in an ASA and we have to provide all the filtering through ACL? this can suppose a lot of work...

in this case how policy rules ( inspected traffic and so on) apply, same as security levels?

Thanks for quick reply, and sorry if I am not more specific with my questions.

Juan

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Joan Perez Esteban

‎05-07-2013 07:04 AM

Hi,

I've personally now configured firewalls around 5 years. I have never had any use for the "security-level" values since I have always used ACLs to control the traffic between local interfaces and towards the Internet.

If you want to build a simple ACL for DMZ where it would be allow Internet traffic but block it from connecting to the "inside" networks then you could simply use

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

access-list DMZ-IN remark Block all traffic to Internet Networks

access-list DMZ-IN deny ip any object-group LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN permit ip any

access-group DMZ-IN in interface dmz

That is what the simplest ACL could look like. It would block DMZ hosts from initiating connection to the LAN-NETWORKS. But at the same time allow traffic to the Internet.

In a normal situation you might limit the connectivity of the DMZ servers so even they cannot connect to anywhere on the Internet.

To my understanding the "inspect" are done after the ACL check when connections are coming towards the ASA firewall. As long as the traffic is allowed the traffic should also hit the "inspect" rules configured.

Remember to mark the question as answered if it did and/or rate helpfull answers.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card