Solved: ACLs and DMZ - Brain-freeze

John Blakley · ‎03-26-2009

All,

I'm setting up acls for the inside, dmz1, dmz2 and external.

My question is:

I have a host on the inside that needs to get to the dmz. I have an acl on the inside and I'll need to permit this host to the dmz. I'll also need to create an acl on the dmz interface that will allow the traffic back to that host, correct?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎03-26-2009

John

Assuming a firewall ie. a pix/asa then no because it is stateful so if you allow the traffic one way it will be allowed back in.

Note this applies to TCP/UDP. If you were using ICMP that is not stateful so pre v7.x code you had to allow it back in. v7.x code onwards you can also use ICMP inspection to achieve this.

Jon

View solution in original post

lm20ele · ‎03-26-2009

What device are you using?

Jon Marshall · ‎03-26-2009

John

Assuming a firewall ie. a pix/asa then no because it is stateful so if you allow the traffic one way it will be allowed back in.

Note this applies to TCP/UDP. If you were using ICMP that is not stateful so pre v7.x code you had to allow it back in. v7.x code onwards you can also use ICMP inspection to achieve this.

Jon

John Blakley · ‎03-27-2009

Thanks Jon :)

HTH, John *** Please rate all useful posts ***