Outgoing access rule

Posted on 2007-10-05
Last Modified: 2012-06-22
Need advice on how to best setup outgoing access from a DMZ when restricting certain ports.  By default I understand that the implicit rule is to allow all traffic to any less secure networks.  As soon as I add any rule in there that is more restrictive the implict rule goes away.  I understand that concept.  Where I'm struggling with is that I want my DMZ servers to be able to have certain access out - such as http, ftp, smtp - but nothing else.  I don't want to do 'any, any' because then access to  the Inside network would be available.  I tried to addres the Outside network - but that didn't work either.  I also tried - via ASDM - to put in 'any less secure networks' - but it wouldn't allow.  How do I best accomplish this?  I'm just a little wary of allowing full access outbound to the internet from the DMZ like the implicit rule specifies - or is that always the way it's done?
Question by:entserv
    LVL 36

    Accepted Solution

    The trick is to first deny anything from the dmz to the internal network and then allow what you want. For example :-

    access-list dmz_out deny ip any
    access-list dmz_out permit ip any any eq www
    access-list dmz_out permit ip any any eq ftp
    access-list dmz_out permit ip any any eq smtp

    Author Comment

    Haha yikes - that makes too much sense!  I wasn't sure if there was 'proper' way to do it and this seems to be it.  Coming from another firewall vendor's world it's taking a bit to get used to how Cisco does things.  Thank you so much!!
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now