- Purple, 4500 points or more
I don't believe I will, but when creating acls in the dmz, I'll have to all the device in the dmz access to the internal network.
permit ip dmz-host internal-host
Why don't I have to create an entry for the dmz host on an acl that's applied to the inside interface, or will I?
I've got an existing ACL on my inside interface. Won't I need to allow the dmz to talk to it??
2 different things really.
Assuming you have not disabled NAT with "no nat-control" then for a packet to be allowed from a lower to a higher security interface you need
1) An acl that permits that access
2) a static NAT translation
So for the dmz or outside to access the inside there would have to be a NAT. But that alone would not allow access. You would need an acl on the relevant interface ie. dmz or outside.
Now going back to previous post -
"traffic initiated from the dmz to the inside is not checked against that inside acl."
I should have been more specific. Assuming the acl on the inside is applied inbound on the interface then what i wrote is correct because the return traffic from the inside to the dmz is checked against the firewall state table.
But if the inside acl was applied outbound on the interface then traffic initiated from the DMZ would be checked against it.