Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
3
Replies

controlling DMZ host access to inside resources....how?

kcobean
Level 1
Level 1

‎06-17-2013 08:55 PM - edited ‎03-11-2019 06:59 PM

I have a DMZ on my firewall.  DMZ interface is Sec-Level 50.  I want the hosts in this DMZ to have unrestricted internet access, and very controlled access to inside hosts.  My question, and I'm sure this has been asked before, is what should my ACL look like given that my global policy is an implicit Deny, and as soon as I create a policy to allow DMZ->INSIDE access, it removes the implicit policy that would allow access to the internet. 

So I guess my question is, do I have to create policy to 1) PERMIT the desired access from DMZ->INSIDE, DENY the remaining/undesired access from DMZ->INSIDE, and then PERMIT access from DMZ->ANY?  This seems ridiculous given the number of network objects that will sit off of my INSIDE interface.  To have to remember to add them to some object group that has to exist specifically to suit this DENY is not feasible.  Am I missing something, or do I really have to do this?

Thanks

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎06-17-2013 11:36 PM

Hi,

I dont really know if there is any other way.

What I usually suggest

  • Create an "object-group network" which contains all the INSIDE networks
  • Create an "access-list" which uses the created "object-group" to define the destination networks to which connection should be blocked
  • Add an "access-list" rule that allows ALL other traffic
  • Add "access-list" rules/statements to the top of the ACL to allow that traffic which should be allowed from DMZ to INSIDE

So for example if you had 3 LAN networks and the single DMZ network you could do

object-group network DMZ-BLOCKED-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

access-list DMZ-IN remark Allow connections from DMZ to INSIDE

access-list DMZ-IN permit tcp host 192.168.10.10 host 10.10.10.10 eq

access-list DMZ-IN permit udp host 192.168.10.10 host 10.10.10.10 eq

access-list DMZ-IN remark Block ALL connections from DMZ to INSIDE

access-list DMZ-IN deny ip any object-group DMZ-BLOCKED-NETWORKS

access-list DMZ-IN remak Allow ALL other connections from DMZ

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any

That should pretty much be the basic frame of the ACL

- Jouni

0 Helpful

kcobean
Level 1
Level 1
In response to Jouni Forss

‎06-19-2013 02:38 PM

Thanks Jouni.  That's what I ended up doing, I was just wondering if there was a way to have it allow access to lower security networks like it does if no policy is in place while still having an ACL for higher-security resources.  That way I could just specify the DMZ->INSIDE access I want in my policies, while still allowing the internet access as a default behavior.  Not a big deal, just thought I'd ask.

thanks again!

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kcobean

‎06-19-2013 02:43 PM

Hi,

I guess these could always be things that could be changed/added if there was enough interested from many Cisco users. But somehow I imagine it wouldnt be that high priority on Ciscos list.

Please do mark the reply as the correct answer if it answered your question.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card