I've got two DMZs. DMZ1 has the web server with security level 50. DMZ2 is a guest wireless network with security level 10. DNS points to outside. DNS doctoring works fine from the inside for the web server (i.e. when an inside user browses to http://www.company.com, they get the real, untranslated IP). But for users in DMZ2, it doesn't work since DMZ2 has a lower security level than DMZ1. If I create an inbound access list on DMZ2 to allow access to the DMZ1 web server, the implict rule to allow guests to browse the Web obviously is lost.
I reaize one option is to use the following inbound rules on dmz2:
1. Allow any to dmz1 web server for specific services
2. Deny any to inside and dmz1 for all
3. Allow any to any for web browsing
I'm trying to see if there's any other way to do this and keep the implicit "permit all to less secure network". Thanks.
Thanks Adam. Your first suggestion is basically what I am doing (I edited my original post - you must have responded before the edit). As for destination nat, I'm assuming you meant static (dmz1,dmz2). Even if I were to use destination nat instead of doctoring, wouldn't I still need the access lists, since dmz2 is of lower security level than dmz1?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...