03-07-2008 08:51 AM - edited 03-11-2019 05:14 AM
I've got two DMZs. DMZ1 has the web server with security level 50. DMZ2 is a guest wireless network with security level 10. DNS points to outside. DNS doctoring works fine from the inside for the web server (i.e. when an inside user browses to http://www.company.com, they get the real, untranslated IP). But for users in DMZ2, it doesn't work since DMZ2 has a lower security level than DMZ1. If I create an inbound access list on DMZ2 to allow access to the DMZ1 web server, the implict rule to allow guests to browse the Web obviously is lost.
I reaize one option is to use the following inbound rules on dmz2:
1. Allow any to dmz1 web server for specific services
2. Deny any to inside and dmz1 for all
3. Allow any to any for web browsing
I'm trying to see if there's any other way to do this and keep the implicit "permit all to less secure network". Thanks.
03-07-2008 09:09 AM
"If I create an inbound access list on DMZ2 to allow access to the DMZ1 web server, the implict rule to allow guests to browse the Web obviously is lost."
Why? Couldn't you just do like...
access-list dmz2-in extended permit tcp
access-list dmz2-in extended deny ip
access-list dmz2-in extended permit ip any any
Also, you could use destination nat to access www.company.com from dmz2.
nat (dmz1,dmz2)
03-07-2008 09:32 AM
Thanks Adam. Your first suggestion is basically what I am doing (I edited my original post - you must have responded before the edit). As for destination nat, I'm assuming you meant static (dmz1,dmz2). Even if I were to use destination nat instead of doctoring, wouldn't I still need the access lists, since dmz2 is of lower security level than dmz1?
03-07-2008 09:49 AM
Oops, yes I meant static, haha.
Sure you would still need the acl.
03-07-2008 09:53 AM
You had typed nat (dmz1,dmz2) - I wanted make sure there wasn't some other way to do this than static.
Thanks for the input.
03-07-2008 09:54 AM
Ya, i tried to edit it but it's too late.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: