Refer to the exhibit:
You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server, DMZWWWINT, to an IP address in the OUTSIDE network, DMZWWWEXT. The DMZ interface has a
security level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running system software version 8.4.
Which of the following statements are true regarding the ACL that will be required to enable hosts in the OUTSIDE network to communicate with the DMZ web server? (Select 2 choices.)
- The ACL should be applied to the OUTSIDE interface.
- The ACL should be applied to the DMZ interface.
- The ACL should reference the DMZWWWEXT object as its source address.
- The ACL should reference the DMZWWWEXT object as its destination address.
- The ACL should reference the DMZWWWINT object as its destination address.
In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should reference the DMZWWWINT object as its destination address. The Network Address Translation (NAT) rule in this scenario creates a static mapping between the address of the web server in the DMZ network, which has been defined as an object named DMZWWWINT, and an address in the OUTSIDE network, which has been defined as an object named DMZWWWEXT. This static mapping enables hosts on the outside network to communicate with the DMZ web server by using the DMZWWWEXT address. However, the Cisco Adaptive Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by default unless it is return traffic from an existing connection or an ACL exists which explicitly permits the traffic.
You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive Security Device Manager (ASDM). By default, the Access Rules pane contains implicit rules that permit traffic from higher security interfaces to lower security interfaces and that deny all traffic that has not been otherwise permitted, as shown in the following exhibit:
You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add button, ASDM will display the Add Access Rule dialog box, as shown in the following exhibit:
In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE interface if it is not already selected. The ACL should be applied to the OUTSIDE interface? otherwise, the traffic from the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You should ensure that the Permit radio button is selected in order to permit the traffic specified by the ACL. The Source Criteriasection of the Add Access Rule dialog box can maintain its default values because traffic from any source and user should be permitted to access the DMZ web server. The network object corresponding to the DMZ web server should be specified in the Destination field of the Destination Criteria section. Because the ASA is running a system software revision that is greater than or equal to version 8.3, the ACL required for this scenario must use the object named DMZWWWINT as its destination and not the object named DMZWWWEXT, as would be the case for system software revisions less than version 8.3. Finally, the Service field should be used to specify the protocols that will be permitted by the ACL. By default, all IP traffic is permitted? however, as this rule will apply to a web server, it is more secure to limit the permitted protocols to Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can either type the protocol object names into the field, or click the browse button to select protocols from a list. By default, the Add Access Rules dialog box enables the rule in the inbound direction, which is precisely what is needed in this scenario. The following exhibit shows the Add Access Rules dialog box with sample values that would be suitable for this scenario:
When you click the OK button, the Access Rules pane will automatically update to display the newly created ACL, as shown in the following exhibit:
You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ interface in the outbound direction, traffic from the OUTSIDE interface would be denied by the implicit Global policy before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the DMZ interface in the inbound direction because traffic from higher security interfaces is permitted to lower security interfaces by default. You would not need to supply a source address to the ACL in this scenario, because all traffic passing through the OUTSIDE interface in the inbound direction is specified instead. Although you could specify individual hosts or subnets in a similar ACL, it is significantly more efficient to specify any traffic on the OUTSIDE interface. Typically, the OUTSIDE interface of an ASA connects to the greatest number of additional networks, such as the Internet, and it would quickly become impractical to specify all permitted hosts or subnets.