Refer to the exhibit:
You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server,
DMZWWWINT, to an IP address in the OUTSIDE network, DMZWWWEXT. The DMZ interface has a
security level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running system
software version 8.4.
Which of the following statements are true regarding the ACL that will be required to enable hosts in the
OUTSIDE network to communicate with the DMZ web server? (Select 2 choices.)
A.
The ACL should be applied to the OUTSIDE interface.
B.
The ACL should be applied to the DMZ interface.
C.
The ACL should reference the DMZWWWEXT object as its source address.
D.
The ACL should reference the DMZWWWINT object as its source address.
E.
The ACL should reference the DMZWWWEXT object as its destination address.
F.
The ACL should reference the DMZWWWINT object as its destination address.
Explanation:
In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should reference
the DMZWWWINT object as its destination address. The Network Address Translation (NAT) rule in this
scenario creates a static mapping between the address of the web server in the DMZ network, which has been
defined as an object named DMZWWWINT, and an address in the OUTSIDE network, which has been defined
as an object named DMZWWWEXT. This static mapping enables hosts on the outside network to
communicate with the DMZ web server by using the DMZWWWEXT address. However, the Cisco Adaptive
Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by default unless it is return
traffic from an existing connection or an ACL exists which explicitly permits the traffic.
You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive Security
Device Manager (ASDM). By default, the Access Rules pane contains implicit rules that permit traffic from
higher security interfaces to lower security interfaces and that deny all traffic that has not been otherwise
permitted, as shown in the following exhibit:
You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add button,
ASDM will display the Add Access Rule dialog box, as shown in the following exhibit:
In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE interface
if it is not already selected. The ACL should be applied to the OUTSIDE interface? otherwise, the traffic from
the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You should ensure
that the Permit radio button is selected in order to permit the traffic specified by the ACL. The Source
Criteriasection of the Add Access Rule dialog box can maintain its default values because traffic from any
source and user should be permitted to access the DMZ web server. The network object corresponding to the
DMZ web server should be specified in the Destination field of the Destination Criteria section. Because the
ASA is running a system software revision that is greater than or equal to version 8.3, the ACL required for this
scenario must use the object named DMZWWWINT as its destination and not the object named
DMZWWWEXT, as would be the case for system software revisions less than version 8.3. Finally, the Service
field should be used to specify the protocols that will be permitted by the ACL. By default, all IP traffic is
permitted? however, as this rule will apply to a web server, it is more secure to limit the permitted protocols to
Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can either type the protocol object names
into the field, or click the browse button to select protocols from a list. By default, the Add Access Rules dialog
box enables the rule in the inbound direction, which is precisely what is needed in this scenario. The following
exhibit shows the Add Access Rules dialog box with sample values that would be suitable for this scenario:
When you click the OK button, the Access Rules pane will automatically update to display the newly created
ACL, as shown in the following exhibit:
You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ interface
in the outbound direction, traffic from the OUTSIDE interface would be denied by the implicit Global policy
before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the DMZ interface in
the inbound direction because traffic from higher security interfaces is permitted to lower security interfaces by
default. You would not need to supply a source address to the ACL in this scenario, because all traffic passing
through the OUTSIDE interface in the inbound direction is specified instead. Although you could specify
individual hosts or subnets in a similar ACL, it is significantly more efficient to specify any traffic on the
OUTSIDE interface. Typically, the OUTSIDE interface of an ASA connects to the greatest number of additional
networks, such as the Internet, and it would quickly become impractical to specify all permitted hosts or
subnets.Cisco: Configuring Access Rules: Configuring Access Rules
