Cisco ASA Firewall - DMZ to Inside Access

posted 15 Jul 2015, 09:13 by Tristan Self   [ updated 15 Jul 2015, 09:26 ]
On a Cisco ASA firewall you will probably want to use the DMZ for servers that are web facing, and also restrict/deny any access they have to the internal network. The idea being that a connection to a web server say in your DMZ would get into the DMZ, and if another connection is required e.g. for a database lookup, it would be made back through the firewall between the DMZ and inside to the internal server.

When a firewall is brand new and un-configured, there is an implicit incoming rule on the interface saying "any less secure networks" so this means that if you have configured the interface security levels as follows:

outside = 0
inside = 100
dmz = 50

then the following is true:

A host on the inside (internal network) can access anything on the dmz or outside (internet) using the default implicit rules.
A host on the dmz (DMZ network) can access anything on the outside (internet) but not the inside (internal network) using the default implicit rules. Because it only allows "any less secure networks".

But at the point of adding your own rules to the ACL this implicit rule is removed and then an implicit deny is added to the end, and then only your traffic is allowed.

So onto the point of this article. A scenario to explain it all.

If you have a host on your DMZ network and you want it to only be allowed to access the internet on HTTP or HTTPS (i.e. DMZ to outside) and allowed access to the internal network on TCP/1433 (SQL) (i.e. DMZ to inside) you need to setup the commands below.

The rule set is basically split into 4 sections below to allow traffic to the inside host from the DMZ, traffic from the DMZ to the internet, block all other traffic from the DMZ to the inside and block anything else.

1. Allow specific traffic from the DMZ to the inside.access-list dmz_access_in line 1 extended permit tcp host object inside-network eq sqlnet
2. Deny all other traffic from the DMZ to the inside.access-list dmz_access_in line 2 extended deny ip host inside-network
3. Allow specific traffic from the DMZ to the outside.

access-list dmz_access_in line 3 extended permit tcp host any4 eq http

access-list dmz_access_in line 4 extended permit tcp host any4 eq https

4. Block Everything else.access-list dmz_access_in line 5 extended deny ip any any