[Webinar] Learn how to a build a cloud-first strategyRegister Now


Outgoing access rule

Posted on 2007-10-05
Medium Priority
Last Modified: 2012-06-22
Need advice on how to best setup outgoing access from a DMZ when restricting certain ports.  By default I understand that the implicit rule is to allow all traffic to any less secure networks.  As soon as I add any rule in there that is more restrictive the implict rule goes away.  I understand that concept.  Where I'm struggling with is that I want my DMZ servers to be able to have certain access out - such as http, ftp, smtp - but nothing else.  I don't want to do 'any, any' because then access to  the Inside network would be available.  I tried to addres the Outside network - but that didn't work either.  I also tried - via ASDM - to put in 'any less secure networks' - but it wouldn't allow.  How do I best accomplish this?  I'm just a little wary of allowing full access outbound to the internet from the DMZ like the implicit rule specifies - or is that always the way it's done?
Question by:entserv
LVL 36

Accepted Solution

grblades earned 200 total points
ID: 20022162
The trick is to first deny anything from the dmz to the internal network and then allow what you want. For example :-

access-list dmz_out deny ip any xxx.xxx.xxx.xxx
access-list dmz_out permit ip any any eq www
access-list dmz_out permit ip any any eq ftp
access-list dmz_out permit ip any any eq smtp

Author Comment

ID: 20022185
Haha yikes - that makes too much sense!  I wasn't sure if there was 'proper' way to do it and this seems to be it.  Coming from another firewall vendor's world it's taking a bit to get used to how Cisco does things.  Thank you so much!!

Expert Comment

ID: 20370048
Forced accept.

EE Admin

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question