cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
5
Helpful
1
Replies

ASA-5525. How many different ACLs need entries for this circuit?

SERVER1 (security zone 50 of dmz) ==>  ASA-5525 ==> inside network (security zone 100) ==> ISR-router ===> www SERVER2

Server1 initiates the connection to server2. Obviously there is return traffic to Server1.

Regarding only ASA-5525, how many different ACLs need entries for these servers to communicate in this instance?

Thank you.

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF if server1 in the dmz initiates communications, then there would need to be one ACL to permit the traffic, with at least 1 ACE. As the ASA is stateful, the return traffic would automatically be permitted. Meaning you don't need to explicitly permit the return traffic.

Interfaces with a lower security level (DMZ) communicating with interfaces with a higher security level (inside) need an ACL to explictly permit traffic. Interfaces with a higher security level communicating with a lower security level do not need an ACL to permit traffic and is permitted as default.

View solution in original post

1 Reply 1

@jmaxwellUSAF if server1 in the dmz initiates communications, then there would need to be one ACL to permit the traffic, with at least 1 ACE. As the ASA is stateful, the return traffic would automatically be permitted. Meaning you don't need to explicitly permit the return traffic.

Interfaces with a lower security level (DMZ) communicating with interfaces with a higher security level (inside) need an ACL to explictly permit traffic. Interfaces with a higher security level communicating with a lower security level do not need an ACL to permit traffic and is permitted as default.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card