I'm having a problem that I can't figure out.
To outline a simple setup of our configuration i looks like this:
inside (sec. level 100)
outside (sec. level 0)
dmz (sec. level 20)
Now, I've created a NAT excemt statement between the dmz and the inside network. I then created a rule on the dmz interface that allows http to any.
The problem is that this rule also allows http access to the inside. I might be wrong, but shouldn't the security levels prevent this automatically in spite of the "any" rule?
Maybe it has something to do with the nat excemt, or it might just be default behaviour?
Thanks in advance,
That is normal behaviour. What i am a bit confused about is if you want http access to be allowed from the DMZ but not to the inside why bother with an acl at all ?
For traffic to flow from a lower to a higher security you need 2 things -
1) NAT - which you have taken care of with your exemption
2) an access-list allowing that traffic - which you have done.
If you want to stop this either
1) remove the acl from the dmz interface (altho you may be using this acl for other reasons)
2) deny traffic from the dmz to the inside in your access-list first and then permit any eg.
access-list dmz_in deny ip 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list dmz_in permit ip 172.16.5.0 255.255.255.0 any
where 172.16.5.0/24 is DMZ subnet and 192.168.5.0/24 is inside subnet.