03-30-2011 08:55 AM - edited 03-11-2019 01:14 PM
Hello experts,
I am trying to filter some outbound traffic but becoming confused!
If I have a network on the DMZ interface, eg 192.168.1.0/24, by default the implicit rules allow all traffic on this network to the outside interface but deny access to the inside interface.
If I want to block an address in the DMZ from outside access I can use....
access-list inside_access_in extended deny ip host 192.168.1.38 any
.........but this overrides the implicit rule that allows all traffic to the outside (lower security) interface and now all traffic is blocked.
If I add...........
access-list inside_access_in extended permit ip host any any
.........now I am blocking only the one IP address but I have overridden the 'deny any any' rule that stops traffic flowing to a higher security interface.
How can I block a single address or subnet from the DMZ to the outside without permitting DMZ access to the inside?
Thanks for any help.
03-30-2011 09:46 AM
Hi Gavin,
The simplest way to do this is to put an explicit deny statement with a destination of your inside subnet inbound on the DMZ interface. For example, if your inside subnet is 192.168.0.0/24, the ACL on the DMZ interface would look like this:
access-list dmz_access_in deny ip host 192.168.1.38 any
access-list dmz_access_in deny ip any 192.168.0.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-group dmz_access_in in interface dmz
The above ACL would prevent 192.168.1.38 from getting to the outside, stop all hosts from accessing the inside subnet, and still allow all remaining access to the outside.
You could also do it using an outbound ACL on the inside interface, but this is much less commonly used. The ACL would look like this, which would deny any traffic from leaving the ASA on the inside interface that was sourced from a DMZ host, but allow all other traffic:
access-list inside_access_out deny ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out permit ip any any
access-group inside_access_out out interface inside
More information about the ACL configurations can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html
Hope that helps.
-Mike
03-31-2011 03:58 AM
Thanks Mike,
It all makes perfect sense when someone else says it!
I found it confusing that once I had added my own ACL the implicit rules are overridden and in order to keep traffic flowing I had to add
permit ip any any
which seems contradictory to the implicit rule
deny ip any any
The outbound acl is interesting, must admit I have never seen that before. Can you still only have one acl per interface, either inbound or outbound or can you have one of each?
Thanks
Gavin
03-31-2011 05:08 AM
Hi Gavin,
You can have both inbound and outbound ACLs applied to the same interface. In most scenarios though, inbound ACLs are enough to acheive what you want to do.
Hope that helps.
-Mike
03-30-2011 09:46 AM
Removing duplicate post.
Message was edited by: mirober2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide