I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?
Would you have to create the ACL to say deny SMTP Server using TCP 25 to 192.168.0.0 etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?
So how would you configure something like this? Hope this makes sense.
Thanks for your reply. I was aware of those points already but its appreciated. To be honest I think I answered my own question I was just having a stupid moment! I would just need to stick the deny statements then the permit all. Just wondered about other ways and best practices etc.
Hi sorry not the best wording. For example you have an SMTP relay in the DMZ. Needs to be able to get anywhere on the Internet and to one host internally. I meant you would just have to configure it as
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...