08-31-2017 08:48 AM - edited 02-21-2020 06:15 AM
I am running latest 9.8.1 code. I need assistance in allowing traffic from lower security level to higher. Below is the config.
Interface g0/1
nameif inside
security-level 100
ip address 10.20.5.1 255.255.255.0 standby 10.20.5.2
interface g0/2
nameif DMZ1
security-level 15
ip address 10.20.3.1 255.255.255.0 standby 10.20.3.2
interface g0/3
description SQL subnet
vlan 5
nameif DMZ2
security-level 25
ip address 10.20.4.1 255.255.255.0 standby 10.20.4.2
I need help in allowing traffic both ways between inside and DMZ1 and inside and DMZ2.
Thank you in advance.
08-31-2017 10:07 AM
Higher security to lower security is allowed by default. Only if you have an ACL applied for other reasons on the interface do you need to add a rule for traffic to lower security interfaces.
For the lower to higher use case you just need to permit it with an access-list and then assign the access-list with the access-group command.
In both cases, return traffic for a given flow is always allowed since the ASA is a stateful firewall.
08-31-2017 10:34 AM
Sound dumb but I need help with creating those ACLs. I have tried different ways but haven't been successful.
08-31-2017 10:51 AM
Two lines should do it. Assuming you want any host in DMZ2 to communicate with any host in DMZ1, something like this should work:
access-list dmz2-dmz1 permit ip 10.20.3.0 255.255.255.0 10.20.4.0 255.255.255.0
access-group dmz2-dmz1 in interface dmz2
Of course if that's your policy, you could just make them same security level and "permit same-security traffic intra-interface"
06-16-2019 02:54 PM
Hey, I know this is an old thread but its the top google result.
The problem with the written ACL solution is that the implicit deny at the end of the ACL will break the built-in permission for traffic to move from higher to lower level security zones. If you have a management network, an internal network for VMs, and an internet network (outside), adding one ACL to permit one VM to access one management network IP will break the outbound internet access.
Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?
06-16-2019 07:33 PM
@KylePericak9919 wrote:
...
Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?
That's the recommended solution.
Typically, where the internal networks are RFC 1918, you can just do the single allow and then a couple of lines do deny the three RFC 1918 supernets (or one line of you define a network object group for 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and then a final "allow any any".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide