ACLs and DMZ - Brain-freeze

Answered Question
Mar 26th, 2009
User Badges:
  • Purple, 4500 points or more

All,


I'm setting up acls for the inside, dmz1, dmz2 and external.


My question is:


I have a host on the inside that needs to get to the dmz. I have an acl on the inside and I'll need to permit this host to the dmz. I'll also need to create an acl on the dmz interface that will allow the traffic back to that host, correct?


Thanks,

John

Correct Answer by Jon Marshall about 8 years 23 hours ago

John


Assuming a firewall ie. a pix/asa then no because it is stateful so if you allow the traffic one way it will be allowed back in.


Note this applies to TCP/UDP. If you were using ICMP that is not stateful so pre v7.x code you had to allow it back in. v7.x code onwards you can also use ICMP inspection to achieve this.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 03/26/2009 - 16:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Assuming a firewall ie. a pix/asa then no because it is stateful so if you allow the traffic one way it will be allowed back in.


Note this applies to TCP/UDP. If you were using ICMP that is not stateful so pre v7.x code you had to allow it back in. v7.x code onwards you can also use ICMP inspection to achieve this.


Jon

Actions

This Discussion