I have a couple of questions.
First
When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.
Second
I have a passive FTP situation.
Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.
Here are my outside and DMZ AL
DMZ
access-list 201 extended permit tcp any host 192.168.45.6 eq 10021
access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050
access-list 201 extended permit tcp host 192.168.45.6 any eq 10021
access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050
Outside
access-list 200 extended permit tcp any host XX.24.139.XX eq 10021
access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050
I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?