Cisco – ASA 5505 not allowing traffic to lower security interface

We have an ASA 5505 with a VLAN setup for each of outside, inside and two dmz interfaces. The outside interface is set to security level 0, inside set to 100, and both dmz interfaces set to 50.

Unfortunately, the device is not passing traffic from one of the dmz interfaces (other is currently disabled) to the outside interface by default, as I'm expecting. I'm expecting that going from higher security to lower security, traffic should not get caught by an implicit ACL. However, the packet-tracer tool shows this to be the case – that it is getting blocked at step2 by an implicit ACL. I added an ACE to allow traffic to outside IPs, and the traffic does flow now. However, this shouldn't need to be done. It will create a management burden going forward, defining all allowed ranges of IPs, ports, protocols, etc.

The license on the ASA has Security Plus. Show version lists:

Cisco Adaptive Security Appliance Software Version 8.4(4)
Device Manager Version 6.4(9)

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Best Answer

Well, first off

I added an ACE to allow traffic to outside IPs, and the traffic does flow now. However, this shouldn't need to be done. It will create a management burden going forward, defining all allowed ranges of IPs, ports, protocols, etc.

That's actually best practice to properly configure security devices by filtering using the proper IPs and Ports. Solely using security levels to filter traffic is bad practice in my opinion.

That being said, the traffic from a higher security interface to a lower security interface will pass without ACL's only if you use NAT between the two interfaces.

Edit to answer the questions in comments

In order to allow your DMZ to go on Internet but not in your LAN, the easiest way to do that is with two ACLs.

Lets say your internal network is using 192.168.1.0/24 and your DMZ is 10.0.0.0/27

access-list [your access-group] extended deny ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list [your access-group] extended permit ip any any

The rules are read from top to bottom and the firewall will use the first one that match.

The other way to do it is to have ACLs on your Inside interface but with an access-group assigned to the outbound traffic.

access-group [acl-traffic-out] out inside

And the filter the traffic that you allow to leave the inside interface.

access-list acl-traffic-out extended deny ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Although you can filter the traffic going out of an interface, as opposed to going in the interface, I rarely use it. It can get confusing when your rule base gets bigger.

Do note that you should restrict the traffic as much as you can. This is really just an example.

Best Answer

Related Solutions

Cisco – Configuring Cisco ASA 5505 for another IP address range

Cisco – ASA 5505 vLAN Routing – 2 LAN 1 WAN

Related Topic