Solved: Re: ASA-5525. How many different ACLs need entries for this circuit?

jmaxwellUSAF · ‎02-24-2023

SERVER1 (security zone 50 of dmz) ==> ASA-5525 ==> inside network (security zone 100) ==> ISR-router ===> www SERVER2

Server1 initiates the connection to server2. Obviously there is return traffic to Server1.

Regarding only ASA-5525, how many different ACLs need entries for these servers to communicate in this instance?

Thank you.

Rob Ingram · ‎02-24-2023

@jmaxwellUSAF if server1 in the dmz initiates communications, then there would need to be one ACL to permit the traffic, with at least 1 ACE. As the ASA is stateful, the return traffic would automatically be permitted. Meaning you don't need to explicitly permit the return traffic.

Interfaces with a lower security level (DMZ) communicating with interfaces with a higher security level (inside) need an ACL to explictly permit traffic. Interfaces with a higher security level communicating with a lower security level do not need an ACL to permit traffic and is permitted as default.

View solution in original post

Rob Ingram · ‎02-24-2023

@jmaxwellUSAF if server1 in the dmz initiates communications, then there would need to be one ACL to permit the traffic, with at least 1 ACE. As the ASA is stateful, the return traffic would automatically be permitted. Meaning you don't need to explicitly permit the return traffic.

Interfaces with a lower security level (DMZ) communicating with interfaces with a higher security level (inside) need an ACL to explictly permit traffic. Interfaces with a higher security level communicating with a lower security level do not need an ACL to permit traffic and is permitted as default.