- Purple, 4500 points or more
I'm setting up acls for the inside, dmz1, dmz2 and external.
My question is:
I have a host on the inside that needs to get to the dmz. I have an acl on the inside and I'll need to permit this host to the dmz. I'll also need to create an acl on the dmz interface that will allow the traffic back to that host, correct?
Assuming a firewall ie. a pix/asa then no because it is stateful so if you allow the traffic one way it will be allowed back in.
Note this applies to TCP/UDP. If you were using ICMP that is not stateful so pre v7.x code you had to allow it back in. v7.x code onwards you can also use ICMP inspection to achieve this.