Allow DMZ to the Internet

Answered Question
May 5th, 2009
User Badges:

Is it a good idea to allow DMZ devices access to the Internet, ie:


nat (dmz) 1 access-list dmzout


Obviously they are accessible from the outside using static nat's but should they be allowed to initiate traffic to the Internet?

Correct Answer by Jon Marshall about 7 years 10 months ago

Roni


Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.


Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mdombek_biz Tue, 05/05/2009 - 10:10
User Badges:

Depends on what you want in most cisco documents for ASA: LAN DMZ Outside design the DMZ is allowed to connect to the internet. eg by security level permissions.


cheers

Michael

Correct Answer
Jon Marshall Tue, 05/05/2009 - 14:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roni


Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.


Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.


Jon

Actions

This Discussion