03-28-2024 10:19 AM
Greetings! Hope somebody can guide me how is it supposed to be done! Sorry, I'm a noob and seems to can't find an answer.
Lets say I have 3 subnets/vlans/interfaces with security levels:
inside (90)
dmz (10)
outside (0)
lets say I want to allow http/https outgoing traffic from dmz to the Internet. So I create an ACL on DMZ interface to allow any machine in DMZ subnet do http/https connect to 'any'. But, as a result I'm automatically allowing http/https traffic from dmz to any machine in 'inside' subnet (even though it has a higher security level, and I definitely don't want to allow that). How do I go about it? i.e. I want to allow machines in DMZ to http(s) connect to any IP but only going 'through' the 'outside' interface.
Thank you
Solved! Go to Solution.
03-28-2024 10:37 AM
You need an ACL that has multiple elements. I build my DMZ-ACLs typically in the following way:
1) Permit from DMZ IPs to internal systems, whatever is needed
2) Deny from Any to RFC1918, I assume that all internal systems have RFC1918 addresses
3) Permit DMZ IPs to Any for Internet communication
In 3) the Any is only the internet as 2) already denied the communication to inside.
On FTD this is much easier as we can use incoming and outgoing zones.
03-28-2024 10:41 AM
Higher security can, by default, initiate traffic to lower security so no ACL is needed for that. So inside-dmz, inside-outside and dmz-outside don't need an ACL. Only when you put an ACL in place on an interface does the behavior follow the ACL (with an implicit DENY all for that interface when traffic does not match the ACL).
If you wanted to restrict the dmz to internet traffic to https but at the same time prohibit it from initiating traffic to the inside, you would start with an ACL entry prohibiting something like all RFC 1918 networks (or whatever you are using inside), then allow all other traffic using port 443 (tcp for https and udp for QUIC).
03-28-2024 10:32 AM
Traffic initiate from DMZ to OUT and this make ASA build conn entry specify DMZ and OUT as interface of traffic'
the retrun allow traffic is ONLY from OUT to DMZ' Not from OUT to DMZ and IN'
The ASA check Conn for retrun traffic.
MHM
03-28-2024 10:45 AM - edited 03-28-2024 11:57 AM
I divide my answer because ACL with level is more more than explain in one comment,
I see one link before help me alot I search for it and found it
Check it, it for you and other and have answer all Q about this topic
https://networkdirection.net/articles/firewalls/asa-securitylevels/
Thanks alot
MHM
03-28-2024 10:37 AM
You need an ACL that has multiple elements. I build my DMZ-ACLs typically in the following way:
1) Permit from DMZ IPs to internal systems, whatever is needed
2) Deny from Any to RFC1918, I assume that all internal systems have RFC1918 addresses
3) Permit DMZ IPs to Any for Internet communication
In 3) the Any is only the internet as 2) already denied the communication to inside.
On FTD this is much easier as we can use incoming and outgoing zones.
03-28-2024 11:45 AM
Thank you!
03-28-2024 10:41 AM
Higher security can, by default, initiate traffic to lower security so no ACL is needed for that. So inside-dmz, inside-outside and dmz-outside don't need an ACL. Only when you put an ACL in place on an interface does the behavior follow the ACL (with an implicit DENY all for that interface when traffic does not match the ACL).
If you wanted to restrict the dmz to internet traffic to https but at the same time prohibit it from initiating traffic to the inside, you would start with an ACL entry prohibiting something like all RFC 1918 networks (or whatever you are using inside), then allow all other traffic using port 443 (tcp for https and udp for QUIC).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide