05-07-2013 06:25 AM - edited 03-11-2019 06:39 PM
Hi,
I went through similar posts to this one but I didn't find the answer I am looking for. I'll explain what I am trying to do:
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
Thanks in advance,
Juan
Solved! Go to Solution.
05-07-2013 07:04 AM
Hi,
I've personally now configured firewalls around 5 years. I have never had any use for the "security-level" values since I have always used ACLs to control the traffic between local interfaces and towards the Internet.
If you want to build a simple ACL for DMZ where it would be allow Internet traffic but block it from connecting to the "inside" networks then you could simply use
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
access-list DMZ-IN remark Block all traffic to Internet Networks
access-list DMZ-IN deny ip any object-group LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN permit ip
access-group DMZ-IN in interface dmz
That is what the simplest ACL could look like. It would block DMZ hosts from initiating connection to the LAN-NETWORKS. But at the same time allow traffic to the Internet.
In a normal situation you might limit the connectivity of the DMZ servers so even they cannot connect to anywhere on the Internet.
To my understanding the "inspect" are done after the ACL check when connections are coming towards the ASA firewall. As long as the traffic is allowed the traffic should also hit the "inspect" rules configured.
Remember to mark the question as answered if it did and/or rate helpfull answers.
- Jouni
05-07-2013 06:32 AM
Hi,
As soon as you configure an ACL and attach it to an interface then that interfaces "security-level" loses its meaning when controlling traffic
I would suggest changing the "inside" "security-level" to 100 just to keep it different from the "outside". This is because if you were to enter a command that allows traffic between same security-level interfaces all traffic from outside could flow to the "inside" network. (Provided routing and NAT made this possible)
I would suggest going with ACL on each interface. Trying to use "security-level" to control traffic is an endless maze and doesnt really other then the very basic setups.
- Jouni
05-07-2013 06:51 AM
Yes, sorry my inside zone is 100, and before adding an ACL in the DMZ traffic was flowing as expected, but just one ACL messed it all, I was using ASDM and the implicit rule from higher level to lower one disapeared to just keeping the ACL.
Honestly I was very surprised to see that zone filtering provided by the security level dissapeared once you configure an acl, so are you saying that zone filtering is not possible in an ASA and we have to provide all the filtering through ACL? this can suppose a lot of work...
in this case how policy rules ( inspected traffic and so on) apply, same as security levels?
Thanks for quick reply, and sorry if I am not more specific with my questions.
Juan
05-07-2013 07:04 AM
Hi,
I've personally now configured firewalls around 5 years. I have never had any use for the "security-level" values since I have always used ACLs to control the traffic between local interfaces and towards the Internet.
If you want to build a simple ACL for DMZ where it would be allow Internet traffic but block it from connecting to the "inside" networks then you could simply use
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
access-list DMZ-IN remark Block all traffic to Internet Networks
access-list DMZ-IN deny ip any object-group LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN permit ip
access-group DMZ-IN in interface dmz
That is what the simplest ACL could look like. It would block DMZ hosts from initiating connection to the LAN-NETWORKS. But at the same time allow traffic to the Internet.
In a normal situation you might limit the connectivity of the DMZ servers so even they cannot connect to anywhere on the Internet.
To my understanding the "inspect" are done after the ACL check when connections are coming towards the ASA firewall. As long as the traffic is allowed the traffic should also hit the "inspect" rules configured.
Remember to mark the question as answered if it did and/or rate helpfull answers.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide