Hi
I have 3 interfaces
Inside (100)
Outside (0)
DMZ (50)
I want to restrict traffic between DMZ and Inside, but as soon as i enter a outbound rule on DMZ to "any" i can communicate with the inside LAN.
I only want to allow certain traffic through to certain hosts for ADFS reasons.
How do i restrict this?
I have changed the destination to Outside or obj_any that i created as 0.0.0.0 but when i do that i can no longer access the internet
interface GigabitEthernet1/1
description "WAN Interface"
nameif outside
security-level 0
ip address XX.XXX.XXX.XXX2 255.255.255.248 standby XX.XXX.XXX.XXX6
!
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 172.0.5.2 255.255.255.248 standby 172.0.5.3
!
interface GigabitEthernet1/5
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/8
description LAN/STATE Failover Interface
!
boot system disk0:/asa9101-lfbff-k8.SPA
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name insideSecurity.co.uk
<--- More --->
access-list INSIDE extended permit object-group DM_INLINE_SERVICE_4 object inside_Servers any
access-list INSIDE extended permit object-group DM_INLINE_SERVICE_1 object inside-User-LAN any
access-list INSIDE extended permit icmp any any
access-list INSIDE extended permit object O365_tcp_587 object XEROX-Printer any access-list INSIDE extended permit ip object CHU-AP-01 any
access-list INSIDE extended permit ip object inside_DH_LAN 172.0.20.0 255.255.255.0
access-list INSIDE extended permit ip object inside_DH_LAN object Unit_19_CCTV
access-list INSIDE extended permit object Plex object Hussain any
access-list INSIDE extended deny ip any any
access-list OUTSIDE extended permit tcp any host 172.0.20.11 eq https
access-list OUTSIDE extended permit object CCTV_NVR_37777 any object CCTV_ENCODER
access-list OUTSIDE extended permit icmp any object inside-User-LAN
access-list OUTSIDE extended permit tcp any object CHU-DC-01 eq ldap
access-list OUTSIDE extended permit object-group SIP-Ports object-group SIP-Servers object AVAYA_EXTERNAL
access-list OUTSIDE extended permit object CCTV_NVR_37777 any object CCTV_NVR
access-list OUTSIDE extended deny ip any any log
access-list OUTSIDE extended deny ip object-group BLOCK_IP_ADDRESSES any
access-list OUTSIDE extended permit icmp any any echo-reply inactive
access-list Elite_access_in extended permit ip any any
access-list inside_access_in extended deny ip any object BAD_IP
access-list inside_access_in extended deny object NTP object CCTV_ENCODER any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_4 any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_11 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object inside_DH_LAN any
access-list inside_access_in extended permit object-group SIP-Ports object AVAYA object-group SIP-Servers
access-list inside_access_in extended permit tcp object CHU-DC-01 any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object CHU-ADM-01 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 object inside_Servers any
access-list inside_access_in extended permit ip object FRANK any inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_13 any
access-list inside_access_in extended permit object O365_tcp_587 object XEROX-Printer any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_10 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_5 object Elite_Servers
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object WMX_IOM_LAN
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_8 object inside_Azure_LAN
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_9 object-group DM_INLINE_NETWORK_14 object DMZ-ADFS-01 inactive
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_10 object DMZ-ADFS-01 object-group DM_INLINE_NETWORK_12 log disable inactive
access-list DMZ_access_in extended permit ip 192.168.0.0 255.255.255.0 object obj_any
access-list inbound extended permit tcp any host 172.0.20.11 eq ldap
pager lines 24
logging enable
<--- More ---> logging timestamp
logging buffer-size 512000
logging console errors
logging buffered informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu inside 1500
mtu null 1500
mtu DMZ 1500
failover
failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet1/8
failover key *****
failover link FAIL-OVER GigabitEthernet1/8
failover interface ip FAIL-OVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,inside) source static any any destination static obj-XX.XXX.XXX.XXX CHU-DC-01 service https https
nat (inside,outside) source static CHU-DC-01 obj-XX.XXX.XXX.XXX service ldap ldap
nat (inside,outside) source static inside_DH_LAN inside_DH_LAN destination static ELITE_DH_LAN ELITE_DH_LAN no-proxy-arp route-lookup
nat (inside,outside) source static inside-User-LAN inside-User-LAN destination static inside_Azure_LAN inside_Azure_LAN no-proxy-arp route-lookup
nat (inside,outside) source static inside_DH_LAN inside_DH_LAN destination static inside_Azure_LAN inside_Azure_LAN
nat (inside,outside) source static inside_DH_LAN inside_DH_LAN destination static WMX_IOM_LAN WMX_IOM_LAN no-proxy-arp route-lookup
nat (inside,outside) source static inside_DH_LAN inside_DH_LAN destination static ELITE_DH_LAN ELITE_DH_LAN no-proxy-arp route-lookup
nat (inside,inside) source static inside_DH_LAN inside_DH_LAN destination static Azure Azure no-proxy-arp route-lookup
nat (inside,outside) source static inside_DH_LAN inside_DH_LAN destination static Azure Azure no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_9 CCTV_EXTERNAL
!
object network obj_any
nat (any,outside) dynamic interface
object network AVAYA
nat (inside,outside) static XX.XXX.XXX.XXX dns
object network CCTV_NVR
nat (inside,outside) static XX.XXX.XXX.XXX
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.XXX1 1
route inside 172.0.0.0 255.255.224.0 172.0.5.1 1
route DMZ 192.168.0.0 255.255.255.255 192.168.0.2 1
