I have some questions regarding an access-list applied tinbound to a DMZ interface.
1. If the firewall is stateful, and the NAT statements are set up correctly, then anyone from an inside interface should be able to access anything on the DMZ interface, with no access-applied correct?
2. the access-list that only permits certain hosts on the inside interface to access the DMZ, is put in place to prevent just anyone on the "inside" interface from accessing the DMZ correct?
3. The below access-list, if it were applied inbound to the DMZ interface goes which way?
How can you tell which direction the traffic flows by looking at the access-list?
If this access-list is applied using following command-
access-group dmz in interface dmz
Then it would imply that host 192.168.100.5 is allowed to initiate connection to host 10.1.10.15 on port 2100. However, as 10.1.10.15 is on a higher security-level interface (inside), to permit the connection through, we would also need following static command in place-
static (inside,dmz) 10.1.10.15 10.1.10.15
Also, if the "dmz" ACL contains only one line, all the traffic except what is defined in the list will be denied due to implicit deny at the end.
This ACL as applied on the DMZ interface as inbound, only controls the traffic initiated from the DMZ and not the traffic initiated from the inside. Once this traffic is initiated, the return traffic from inside to DMZ will automatically flow, PIX being a stateful firewall.
To control what traffic can be initiated from inside interface to other networks, you need ACL applied on the inside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...