Link to home
Start Free TrialLog in
Avatar of First Last
First LastFlag for United States of America

asked on

Cisco ASA with DMZ - Allow internal hosts

I have a Cisco ASA with a DMZ. I'm wondering what are some resources/ best practices on allowing internal hosts on the corporate LAN to access a host which is in the DMZ. The host in the DMZ is accessible over port 443. One question lingering, is how do you allow the host in the DMZ to access a host in the private network only when the connection is initiated by the host in the private network.
Avatar of jeroentb
jeroentb
Flag of Netherlands image

At private side add accesslist entry to permit tcp/443 to dmz host...
ASKER CERTIFIED SOLUTION
Avatar of max_the_king
max_the_king

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of First Last

ASKER

Simple enough, my default Security Levels were wrong. DMZ should be 50, Inside 100, and Outside 0. This addressed my concern about preventing traffic originating in the DMZ from entering the Inside network.

https://www.youtube.com/watch?v=eeTZZN5U858

max_the_king - your comment " default on ASA inside LAN can always access DMZ, bypassing nat rules and without the need of access lists " made me think about the Security Levels.
Avatar of max_the_king
max_the_king

yep, The higher The security level The more The zone is secure. You usually give 100 To inside and 0 to The outside interface. in The middle you may create other zones.
max