Outgoing access rule
Posted on 2007-10-05
Need advice on how to best setup outgoing access from a DMZ when restricting certain ports. By default I understand that the implicit rule is to allow all traffic to any less secure networks. As soon as I add any rule in there that is more restrictive the implict rule goes away. I understand that concept. Where I'm struggling with is that I want my DMZ servers to be able to have certain access out - such as http, ftp, smtp - but nothing else. I don't want to do 'any, any' because then access to the Inside network would be available. I tried to addres the Outside network - but that didn't work either. I also tried - via ASDM - to put in 'any less secure networks' - but it wouldn't allow. How do I best accomplish this? I'm just a little wary of allowing full access outbound to the internet from the DMZ like the implicit rule specifies - or is that always the way it's done?