Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
2
Helpful
5
Replies

Limiting traffic between different security level interfaces on ASA

Go to solution
api1
Level 1
Level 1

‎03-28-2024 10:19 AM

Greetings! Hope somebody can guide me how is it supposed to be done! Sorry, I'm a noob and seems to can't find an answer.

Lets say I have 3 subnets/vlans/interfaces with security levels:

inside (90)
dmz (10)
outside (0)

lets say I want to allow http/https outgoing traffic from dmz to the Internet. So I create an ACL on DMZ interface to allow any machine in DMZ subnet do http/https connect to 'any'. But, as a result I'm automatically allowing http/https traffic from dmz to any machine in 'inside' subnet (even though it has a higher security level, and I definitely don't want to allow that). How do I go about it? i.e. I want to allow machines in DMZ to http(s) connect to any IP but only going 'through' the 'outside' interface.

Thank you

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-28-2024 10:37 AM

You need an ACL that has multiple elements. I build my DMZ-ACLs typically in the following way:

1) Permit from DMZ IPs to internal systems, whatever is needed
2) Deny from Any to RFC1918, I assume that all internal systems have RFC1918 addresses
3) Permit DMZ IPs to Any for Internet communication

In 3) the Any is only the internet as 2) already denied the communication to inside.

On FTD this is much easier as we can use incoming and outgoing zones.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2024 10:41 AM

Higher security can, by default, initiate traffic to lower security so no ACL is needed for that. So inside-dmz, inside-outside and dmz-outside don't need an ACL. Only when you put an ACL in place on an interface does the behavior follow the ACL (with an implicit DENY all for that interface when traffic does not match the ACL).

If you wanted to restrict the dmz to internet traffic to https but at the same time prohibit it from initiating traffic to the inside, you would start with an ACL entry prohibiting something like all RFC 1918 networks (or whatever you are using inside), then allow all other traffic using port 443 (tcp for https and udp for QUIC).

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎03-28-2024 10:32 AM

Traffic initiate from DMZ to OUT and this make ASA build conn entry specify DMZ and OUT as interface of traffic'

the retrun allow traffic is ONLY from OUT to DMZ' Not from OUT to DMZ and IN' 

The ASA check Conn for retrun traffic.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-28-2024 10:45 AM - edited ‎03-28-2024 11:57 AM

I divide my answer because ACL with level is more more than explain in one comment, 

I see one link before help me alot I search for it and found it 

Check it, it for you and other and have answer all Q about this topic

https://networkdirection.net/articles/firewalls/asa-securitylevels/

Thanks alot 

MHM

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎03-28-2024 10:37 AM

You need an ACL that has multiple elements. I build my DMZ-ACLs typically in the following way:

1) Permit from DMZ IPs to internal systems, whatever is needed
2) Deny from Any to RFC1918, I assume that all internal systems have RFC1918 addresses
3) Permit DMZ IPs to Any for Internet communication

In 3) the Any is only the internet as 2) already denied the communication to inside.

On FTD this is much easier as we can use incoming and outgoing zones.

Go to solution
api1
Level 1
Level 1
In response to Karsten Iwen

‎03-28-2024 11:45 AM

Thank you!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2024 10:41 AM

Higher security can, by default, initiate traffic to lower security so no ACL is needed for that. So inside-dmz, inside-outside and dmz-outside don't need an ACL. Only when you put an ACL in place on an interface does the behavior follow the ACL (with an implicit DENY all for that interface when traffic does not match the ACL).

If you wanted to restrict the dmz to internet traffic to https but at the same time prohibit it from initiating traffic to the inside, you would start with an ACL entry prohibiting something like all RFC 1918 networks (or whatever you are using inside), then allow all other traffic using port 443 (tcp for https and udp for QUIC).

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card