10-13-2024 09:26 AM - edited 10-13-2024 09:28 AM
Hello everyone, please help me. I want to create 3 sections: INSIDE, OUTSIDE and DMZ. With OUTSIDE it is possible to ping, and access services in the DMZ. INSIDE also does the same thing and it has the addition of being able to ping OUTSIDE(8.8.8.8), only INSIDE can ping OUTSIDE, not the reverse (OUTSIDE cannot ping INSIDE), I used the following methods: rules like
access-list DMZ-ACCESS extended permit icmp any any
access-list DMZ-ACCESS extended permit tcp any any eq www
access-list DMZ-ACCESS extended permit tcp any any eq 8080
access-list DMZ-ACCESS extended permit tcp any any eq domain
access-list DMZ-ACCESS extended permit udp any any eq domain
access-list DMZ-ACCESS extended permit udp any any eq bootps
access-list DMZ-ACCESS extended permit udp any any eq bootpc
access-list INTERNET-ACCESS extended permit icmp any any
access-list INTERNET-ACCESS extended permit tcp any any eq domain
access-list INTERNET-ACCESS extended permit udp any any eq domain
access-list INTERNET-ACCESS extended permit tcp any any eq www
access-list INTERNET-ACCESS extended permit tcp any any eq 8080
access-list INTERNET-ACCESS extended permit tcp any any
access-list IN-DMZ extended permit tcp any any
access-list IN-DMZ extended permit udp any any
access-group DMZ-ACCESS in interface DMZ
access-group IN-DMZ out interface INSIDE
access-group INTERNET-ACCESS in interface OUTSIDE
I have applied the above rules but web access to DMZ is not possible. And what I don't want is for OUTSIDE to be able to access INSIDE. So please help me everyone
Solved! Go to Solution.
10-13-2024 03:42 PM
10-14-2024 09:53 AM
I believe this is it. Some things I did with ACL and some with inspect. ASA in PacketTracer is a bit buggy. Hope that helps
10-13-2024 03:42 PM
Attach the packet tracer file here instead. zip it first
10-13-2024 05:19 PM
I don't know how to get that file, can you help me?
10-13-2024 07:09 PM - edited 10-13-2024 07:09 PM
Sure. In the packet tracer, go to file, save as, choose a folder on your pc and save the file.
After that, right click on the file, go to "send to" and use the option "zip folder". Then, attached the zipped folder here
10-13-2024 07:17 PM
10-13-2024 10:08 PM
ASA's password is Cisco
10-13-2024 10:09 PM
ASA's password is Cisco
10-14-2024 05:24 AM
10-14-2024 06:23 AM
Thank you very much, can you help me with one more thing: can the computers in INSIDE and OUTSIDE access the web?
10-14-2024 07:10 AM
Let me check.
10-14-2024 09:53 AM
10-14-2024 10:05 AM
Thank you, can you explain to me why I'm wrong?
10-14-2024 10:25 AM
Not say you are wrong actually but the ASA in the PacketTracer is a bit buggy as I said and this can add some challanges.
For example, ASA does not work well with OSPF, when working with ASA on PacketTracer, give preference to static route.
The ACL was correct but it was presenting weird behavior. Basically, if you have a interface with Security level of 100 (inside), the traffic toward interface with securoty level 0 (outside) is allowed as long as you have inspection.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
inspect icmp
inspect http
With this configuration, you dont need to add ACL and make it easier.
The ACL will be required for the traffic comming from OUTSIDE to DMZ because OUTSIDE has a lower security level than DMZ.
10-14-2024 10:35 AM
Thank you very much🥰🥰, can you explain to me how access list is related to priority
10-14-2024 11:01 AM
Not sure if I understood. The ACL is read for firewall from the top to the bottom. The first match will be used to take action.
Is that what you are asking?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide