Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow DMZ to the Internet

Is it a good idea to allow DMZ devices access to the Internet, ie:

nat (dmz) 1 access-list dmzout

Obviously they are accessible from the outside using static nat's but should they be allowed to initiate traffic to the Internet?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Allow DMZ to the Internet

Roni

Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.

Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.

Jon

2 REPLIES
New Member

Re: Allow DMZ to the Internet

Depends on what you want in most cisco documents for ASA: LAN DMZ Outside design the DMZ is allowed to connect to the internet. eg by security level permissions.

cheers

Michael

Hall of Fame Super Blue

Re: Allow DMZ to the Internet

Roni

Really depends on what applications your DMZ servers are running. If they are using static nats's then you won't need the nat (dmz) 1 access-list dmzout statement as static statments are bi-directional.

Good example of where you may need dmz servers to be able to initiate connections to Internet is for DNS ie. your mail server on the DMZ needs to resolve remote IP addresses to hostnames.

Jon

127
Views
0
Helpful
2
Replies