05-05-2009 09:45 AM - edited 03-11-2019 08:27 AM
Is it a good idea to allow DMZ devices access to the Internet, ie:
nat (dmz) 1 access-list dmzout
Obviously they are accessible from the outside using static nat's but should they be allowed to initiate traffic to the Internet?
Solved! Go to Solution.
05-05-2009 02:33 PM
Roni
Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.
Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.
Jon
05-05-2009 10:10 AM
Depends on what you want in most cisco documents for ASA: LAN DMZ Outside design the DMZ is allowed to connect to the internet. eg by security level permissions.
cheers
Michael
05-05-2009 02:33 PM
Roni
Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.
Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide