Cisco ASA with DMZ - Allow internal hosts

First Last
First Last used Ask the Experts™
on
I have a Cisco ASA with a DMZ. I'm wondering what are some resources/ best practices on allowing internal hosts on the corporate LAN to access a host which is in the DMZ. The host in the DMZ is accessible over port 443. One question lingering, is how do you allow the host in the DMZ to access a host in the private network only when the connection is initiated by the host in the private network.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
At private side add accesslist entry to permit tcp/443 to dmz host...
Hi,
by default on ASA inside LAN can always access DMZ, bypassing nat rules and without the need of access lists.
Vice versa, DMZ initiated from DMZ are not allowed to inside interface, unless you create nat rules and access lists.

hope this helps
max

Author

Commented:
Simple enough, my default Security Levels were wrong. DMZ should be 50, Inside 100, and Outside 0. This addressed my concern about preventing traffic originating in the DMZ from entering the Inside network.

https://www.youtube.com/watch?v=eeTZZN5U858

max_the_king - your comment " default on ASA inside LAN can always access DMZ, bypassing nat rules and without the need of access lists " made me think about the Security Levels.
yep, The higher The security level The more The zone is secure. You usually give 100 To inside and 0 to The outside interface. in The middle you may create other zones.
max

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial