Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
3
Replies

Firewall 9.1 dmz rule

Network Pro
Level 1
Level 1

‎01-20-2014 04:08 AM - edited ‎03-11-2019 08:32 PM

Hi,

i am running a cisco asa 5520 (ver9.1) - i want to add a implicit to less secure networks and deny the rest. how can i do this ?

Thanks                  

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎01-20-2014 05:24 AM

Hi,

Can you clarify a bit.

Do you mean that you want to allow the DMZ access to less secure networks and block all other traffic?

The main question in this case would be if you are using ACL in the DMZ interface at the moment?

If you are NOT using ACL in the DMZ interface then the "security-level" value should be enough to to achieve this.

Since you ask about this then I would presume that you already have ACL configured on the interface. If so then this means you will have to configure the ACL in the way that your specifications are met. This is because the "security-level" doesnt really have any meaning after an ACL has been attached to the interface.

If you were to build an ACL to mimic the operation of "security-level" value you could follow the following sample configuration.

object network DMZ-BLOCKED

description Networks blocked for the DMZ

network-object

network-object

network-object

network-object

access-list DMZ-IN remark Deny traffic to more secure networks

access-list DMZ-IN deny ip any object-group DMZ-BLOCKED

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN permit ip any

access-group DMZ-IN in interface dmz

The above example would essentially first group all the networks to which the DMZ is NOT to have access inside an "object-group". This "object-group" would then be used in the DMZ interface ACL as the destination to block traffic to those networks. After this all other traffic would be allowed which would essentially allow outbound Internet connections or connections to LAN networks that WERE NOT specified in the "object-group" we created.

If for some reason you need to allow traffic to more secure networks then you would have to add "permit" statements for those at the TOP of the created ACL (so they dont get blocked by the "deny" statement)

Hope this helps

- Jouni

0 Helpful

Network Pro
Level 1
Level 1
In response to Jouni Forss

‎01-20-2014 06:06 AM

for some reason our firewall is messed up. coould you please give me the default rule to say to "permit less secure network" on a dmz interface

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Network Pro

‎01-20-2014 06:18 AM

Hi,

Wihtout knowing the exact setup its impossible for me to give any actual specific configuration. More than I have already mentioned above. The above configuration example blocks traffic to more secure networks (that you define in the object-group) and then allows all other traffic that would essentially mean all the less secure networks.

If you want the ASA to do this automatically then the only way would be to purely use "security-level" configurations on the DMZ interface without any interface ACL.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card