In Cisco ASA firewall , there may be ask to have customized configuration for communication across different assets across Security Zones. Its imperative to share the default Security level Across Zones configured on Cisco ASA Firewall as below –
Outside Zone (Unsecured) = 0
Inside Zone (Secured) = 100
DMZ Zone (Semi Secured) = 50
Please note that a more Secured traffic can send traffic to less secured zone however less secured zone to more secured traffic cant be possible and requires policy to be implemented on firewall.
Below is a scenario where we need to configure DMZ Zone server communication to Internet Zone and some selected IPs in Inside Secured Zone.
The key requirement of DMZ access is enlisted below –
- Web Server (in DMZ with IP 172.16.0.10) should have access to unsecured Internet over HTTP and HTTPS protocols only. Rest of traffic should be blocked.
- DMZ Web Server should be able to reach SQL Server in inside network rest of traffic should be blocked.
STEP 1 –
Allow specific traffic from the DMZ to the inside.
STEP 2 –
Allow specific traffic from the DMZ to the outside.
STEP 3 –
Block Everything else.