ACL help with Cisco ASA 8.4
Posted on 2011-09-02
I’m having a big issue with ACL’s on a Cisco ASA running 8.4. In a nutshell, the ACLs currently in place are causing a huge security hole. I’m not sure how to fix it.
We need ACL’s that allow all of our DMZ servers to be able to access the Internet via ports 80 and 443. We also have a group of FTP servers that need to connect outbound. We added the ACL’s below which accomplishes the task. What I just discovered is that while the DMZ servers can get to the Internet via ports 80 and 443 they can also get to any server on the internal network that has ports 80 and 443 open!!
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp
I’ve worked a lot with versions 6 and 7 of the operating systems for the PIX and ASA but I’m new to the 8.4 world. In older versions the ACL’s above would work perfectly. Since the inside interface is at a higher security level traffic from the DMZ couldn’t access the internal network unless specific ACL’s and static entries were made. By using an “any” in an ACL it would automatically send traffic outbound to the lower security interface. In the 8.4 world it seems “any” means in any direction, both to the Internet and the internal network. Obviously this is a huge problem and my attempts thus far to fix it haven’t worked.
I’ve tried the ACL below but it doesn’t work. The DMZ servers can’t access anything on the Internet via port 80
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers interface outside eq www
Could someone tell me what I am doing wrong? I just want the traffic to go out, not in. The security level of the inside interface is obviously 100. The DMZ is set for 50. I have no idea why this traffic is able to access the internal network. HELP!
Thanks for any assistance.