02-17-2016 10:28 AM - edited 03-12-2019 12:19 AM
Hi All,
I have an ASA with an outside, DMZ and inside interface configured and acting as my core internet firewall. I have an FTP server in the DMZ that outside users are permitted to use. Outside security level is 0, DMZ 50, inside 100.
My ACL for the FTP is as follows:
access-list outside_access_in extended permit tcp any object ftpserver object-group DM_INLINE_TCP_27
access-list DMZ_access_in extended permit tcp any object ftpserver object-group DM_INLINE_TCP_27
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
When I do show access list, I have an incrementing hit count on the outside_access_in line for this flow, but the DMZ_access_in my hit count has always been 0. Why is that? I had thought for outside traffic to pass through the firewall, you need to allow it at each zone that has a higher security number than the traffic does? I've permitted it through the outside_access_in, but don't I need to do the same thing on DMZ_access_in for the traffic to get to the FTP server? If so, why is my hit count 0?
Solved! Go to Solution.
02-17-2016 09:35 PM
Hi Dean,
When you are accessing the server from outside to DMZ the outside access list will be hit. Once the access list permits the traffic it will create a connection. So when the reverse traffic comes back from the DMZ to outside it will match the connection and go out. So the ACL which you configured on the DMZ does not hit. If you check the DMZ access list you have mentioned that the source as any and destination as ftp server. The firewall will not get any incoming traffic on DMZ interface with the destination as ftp server. hence the hit count is 0. The access list is bind to the dmz for incoming traffic not for the outgoing traffic.
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
02-17-2016 09:35 PM
Hi Dean,
When you are accessing the server from outside to DMZ the outside access list will be hit. Once the access list permits the traffic it will create a connection. So when the reverse traffic comes back from the DMZ to outside it will match the connection and go out. So the ACL which you configured on the DMZ does not hit. If you check the DMZ access list you have mentioned that the source as any and destination as ftp server. The firewall will not get any incoming traffic on DMZ interface with the destination as ftp server. hence the hit count is 0. The access list is bind to the dmz for incoming traffic not for the outgoing traffic.
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
02-18-2016 08:10 AM
Gotcha, makes sense. Thanks very much Shiva
So if I had the DMZ ACL configured in the outbound direction, and had ftpserver as the source and any as the destination, then I would get a hit on the outside ACL AND the DMZ ACL:
1 hit for outside user connecting to ftpserver, and 1 hit for ftpserver return traffic back to user once it traverses the outbound applied DMZ ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide