Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
6
Replies

ASA denying DMZ 50 to outside 0. NAT rules are correct.

Go to solution
Dean Romanelli
Level 4
Level 4

‎12-18-2014 08:05 AM - edited ‎03-11-2019 10:14 PM

Hi All,

Trying to set up a flow from a Barracuda server located in my DMZ, to an outside NTP website on port 123, but my ASA logs show the following:

|106023|scrubbed|123|205.158.110.60|123|Deny udp src DMZ:scrubbed/123 dst outside:205.158.110.60/123 by access-group "DMZ_access_in"
 

My DMZ is security-level 50, and outside is security-level 0.

interface GigabitEthernet0/2
 description To_DMZ
 nameif DMZ
 security-level 50
 ip address scrubbed 255.255.255.0

interface GigabitEthernet0/0
 description OUT
 nameif outside
 security-level 0
 ip address scrubbed 255.255.255.224

My NAT rules are correct as follows to NAT server with DMZ address to public access address:

nat (DMZ,outside) static scrubbed

DMZ_access_in ACL has no deny statements in it.

Same security is implemented:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

Why is this getting stuck in my DMZ ACL? Shouldn't a stateful firewall permit the return traffic for traffic initiated from a higher security level to a lower security level as long as NAT rules are correct?

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎12-19-2014 08:29 AM

The second part is correct. If the initial traffic is allowed, the return-traffic will be allowed automatically by the statefull inspection.

For the initial-traffic, you have the default-rule that traffic from a higher to lower security-level interface is allowed. But the moment you add an ACL to an interface, this default is not in place any more. From now on every wanted traffic has to be allowed explicitly as each ACL has an implicit "deny any any" at the end (depending on your ASA-version this line can be in the interface- or the global ACL) that will deny all traffic that is not explicitly allowed.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎12-18-2014 08:42 AM

  1. For this type of traffic you don't need any "same-security-traffic" commands.
  2. You say that your DMZ-ACL doesn't have any deny-statements. But do you have a permit-statement for the initiating traffic? That is needed.
0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎12-19-2014 08:23 AM

Hi Karsten,

I'm not sure I understand why I need a permit statement for the initiating traffic. If the server in my DMZ is the initiator, which it is, then shouldn't security 50 traffic be permitted over security 0 by design, and the return traffic permitted by the stateful function?

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎12-19-2014 08:29 AM

The second part is correct. If the initial traffic is allowed, the return-traffic will be allowed automatically by the statefull inspection.

For the initial-traffic, you have the default-rule that traffic from a higher to lower security-level interface is allowed. But the moment you add an ACL to an interface, this default is not in place any more. From now on every wanted traffic has to be allowed explicitly as each ACL has an implicit "deny any any" at the end (depending on your ASA-version this line can be in the interface- or the global ACL) that will deny all traffic that is not explicitly allowed.

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎12-22-2014 05:05 PM

Karsten,

If the ACL is applied inbound though, wouldn't that not affect the outbound traffic (i.e. initial traffic) from the DMZ? Or does direction not matter in terms of invalidating the default "higher to lower" behavior?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎12-22-2014 11:09 PM

The ACL will control traffic in all directions. The ACL on the DMZ-interface will limit what you can send to the lower level (what was all by default) and at the same time makes it possible to send traffic to the higher levels. This ACL needs to allow all needed initial traffic regardless where the destination is.

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎12-23-2014 12:48 PM

Gotcha.  Thank you much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card