CISCO ASA CONFIGURATION FOR DMZ TO INSIDE ZONE AND DMZ TO INTERNET ZONE COMMUNICATION

In Cisco ASA firewall , there may be ask to have customized configuration for communication across different assets across Security Zones. Its imperative to share the default Security level Across Zones configured on Cisco ASA Firewall as below –

Outside Zone (Unsecured) = 0


Inside Zone (Secured)         = 100

DMZ Zone (Semi Secured)  = 50

Please note that a more Secured traffic can send traffic to less secured zone however less secured zone to more secured traffic cant be possible and requires policy to be implemented on firewall.

Below is a scenario where we need to configure DMZ Zone server communication to Internet Zone and some selected IPs in Inside Secured Zone.

cisco-asa-configuration-for-dmz-to-inside-zone-and-dmz-to-internet-zone-communication

The key requirement of DMZ access is enlisted below –

  • Web Server (in DMZ with IP 172.16.0.10) should have access to unsecured Internet over HTTP and HTTPS protocols only. Rest of traffic should be blocked.
  • DMZ Web Server should be able to reach SQL Server in inside network rest of traffic should be blocked.

 

STEP 1 –

Allow specific traffic from the DMZ to the inside.

access-list DMZ_WEB line 1 extended permit tcp host 172.16.0.10 object inside-network eq sqlnet
Deny all other traffic from the DMZ to the inside.
access-list DMZ_WEB line 2 extended deny ip host 172.16.0.10 inside-network

STEP 2 –

Allow specific traffic from the DMZ to the outside.

access-list DMZ_WEB line 3 extended permit tcp host 172.16.0.10 any4 eq http

access-list DMZ_WEB line 4 extended permit tcp host 172.16.0.10 any4 eq https

STEP 3 –

Block Everything else.

access-list DMZ_WEB line 5 extended deny ip any any
Please follow and like us:
error

Related Posts

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar

Checkout : E-STORE for latest release "JNCIP-SEC & JNCIA-SEC Interview Q&A " Dismiss