Exemption Rule

ray_stone · ‎03-28-2008

Hi, I have set up my firewall but some confusion in my mind going on. I have configured DMZ and Inside zone and both range are different and inside security level is by default 100 and DMZ is 50 but as per the default rule the higher security level zone can access lower security zone. Right? nNow look below the configuration:-

DMZ 192.168.10.0/24

Inside 10.0.0.0/24

Now i want that dmz machine could also access the inside zome machine and for this I have make a access rule but is it necessary exempt the traffic between both network (DMZ and Inside) or without exemption it will work, if it needs exempt rule then why we should make this ruke. Can anyone help me??

chickman · ‎03-28-2008

Hi Ray!

Ok, so basically if someone from the inside (10.0.0.0) wants to talk with someone on the DMZ (192.168.10.0) they do not require any access list to be created. If the DMZ wants to INITIATE communication towards the inside network it will require an access list. This is because the security level of the interface does not let the lower interface initiate communicates to higher interfaces. This is why you'll need to make rules if anything in the DMZ needs to request communications from the inside network.

I hope this assists.

ray_stone · ‎03-28-2008

Well I know this whatever you have mentioned in your reply. My question abt exemption rule. Is it require exemp rule between both Inside and DMZ network. Thnaks

gbudd12345 · ‎03-28-2008

I think you are referring to NAT. If you have a static translation setup between your inside to your DMZ AND your DMZ to your inside, that will work as well as a NAT exemption. You can NAT from one address to the same address. For example:

nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I hope this helps.

--Gavin Budd

ray_stone · ‎03-28-2008

Hi Gavin, it means I can use two way exempt rule and Nat rule. Both rule are capable to create connectivity between both networks. Thanks

husycisco · ‎03-28-2008

Hi Ray

"is it necessary exempt the traffic between both network (DMZ and Inside)"

NAT exemption is not a must for achieving this. You can add the following line and apply PAT

global (inside) x interface "x is your id number"

or you can exempt it like following

static (dmz,inside) dmznetworkhere dmznetworkhere netmask 255.255.255.0

Or if you like, you can implement this via a policy nat to exempt, for specific traffic.

Regards

ray_stone · ‎03-28-2008

You can NAT from one address to the same address. For example:

nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I didn't understand this point.

husycisco · ‎03-28-2008

What Gavin suggests is not! NAT, it is another type of applying exempt NAT.