Exemption Rule

Unanswered Question
Mar 28th, 2008

Hi, I have set up my firewall but some confusion in my mind going on. I have configured DMZ and Inside zone and both range are different and inside security level is by default 100 and DMZ is 50 but as per the default rule the higher security level zone can access lower security zone. Right? nNow look below the configuration:-



Now i want that dmz machine could also access the inside zome machine and for this I have make a access rule but is it necessary exempt the traffic between both network (DMZ and Inside) or without exemption it will work, if it needs exempt rule then why we should make this ruke. Can anyone help me??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chickman@pronet... Fri, 03/28/2008 - 13:50

Hi Ray!

Ok, so basically if someone from the inside ( wants to talk with someone on the DMZ ( they do not require any access list to be created. If the DMZ wants to INITIATE communication towards the inside network it will require an access list. This is because the security level of the interface does not let the lower interface initiate communicates to higher interfaces. This is why you'll need to make rules if anything in the DMZ needs to request communications from the inside network.

I hope this assists.

ray_stone Fri, 03/28/2008 - 13:58

Well I know this whatever you have mentioned in your reply. My question abt exemption rule. Is it require exemp rule between both Inside and DMZ network. Thnaks

gbudd12345 Fri, 03/28/2008 - 14:12

I think you are referring to NAT. If you have a static translation setup between your inside to your DMZ AND your DMZ to your inside, that will work as well as a NAT exemption. You can NAT from one address to the same address. For example:

nat (inside,DMZ) netmask

nat (DMZ,inside) netmask

I hope this helps.

--Gavin Budd

ray_stone Fri, 03/28/2008 - 14:41

Hi Gavin, it means I can use two way exempt rule and Nat rule. Both rule are capable to create connectivity between both networks. Thanks

husycisco Fri, 03/28/2008 - 14:55

Hi Ray

"is it necessary exempt the traffic between both network (DMZ and Inside)"

NAT exemption is not a must for achieving this. You can add the following line and apply PAT

global (inside) x interface "x is your id number"

or you can exempt it like following

static (dmz,inside) dmznetworkhere dmznetworkhere netmask

Or if you like, you can implement this via a policy nat to exempt, for specific traffic.


ray_stone Fri, 03/28/2008 - 14:50

You can NAT from one address to the same address. For example:

nat (inside,DMZ) netmask

nat (DMZ,inside) netmask

I didn't understand this point.

husycisco Fri, 03/28/2008 - 14:57

What Gavin suggests is not! NAT, it is another type of applying exempt NAT.


This Discussion