01-20-2014 04:08 AM - edited 03-11-2019 08:32 PM
Hi,
i am running a cisco asa 5520 (ver9.1) - i want to add a implicit to less secure networks and deny the rest. how can i do this ?
Thanks
01-20-2014 05:24 AM
Hi,
Can you clarify a bit.
Do you mean that you want to allow the DMZ access to less secure networks and block all other traffic?
The main question in this case would be if you are using ACL in the DMZ interface at the moment?
If you are NOT using ACL in the DMZ interface then the "security-level" value should be enough to to achieve this.
Since you ask about this then I would presume that you already have ACL configured on the interface. If so then this means you will have to configure the ACL in the way that your specifications are met. This is because the "security-level" doesnt really have any meaning after an ACL has been attached to the interface.
If you were to build an ACL to mimic the operation of "security-level" value you could follow the following sample configuration.
object network DMZ-BLOCKED
description Networks blocked for the DMZ
network-object
network-object
network-object
network-object
access-list DMZ-IN remark Deny traffic to more secure networks
access-list DMZ-IN deny ip any object-group DMZ-BLOCKED
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN permit ip
access-group DMZ-IN in interface dmz
The above example would essentially first group all the networks to which the DMZ is NOT to have access inside an "object-group". This "object-group" would then be used in the DMZ interface ACL as the destination to block traffic to those networks. After this all other traffic would be allowed which would essentially allow outbound Internet connections or connections to LAN networks that WERE NOT specified in the "object-group" we created.
If for some reason you need to allow traffic to more secure networks then you would have to add "permit" statements for those at the TOP of the created ACL (so they dont get blocked by the "deny" statement)
Hope this helps
- Jouni
01-20-2014 06:06 AM
for some reason our firewall is messed up. coould you please give me the default rule to say to "permit less secure network" on a dmz interface
01-20-2014 06:18 AM
Hi,
Wihtout knowing the exact setup its impossible for me to give any actual specific configuration. More than I have already mentioned above. The above configuration example blocks traffic to more secure networks (that you define in the object-group) and then allows all other traffic that would essentially mean all the less secure networks.
If you want the ASA to do this automatically then the only way would be to purely use "security-level" configurations on the DMZ interface without any interface ACL.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide