Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Clarification - ASA public ip to dmz

All,

From my test, I think the answer is no but I wanted to get clarification. In the below config, I'm wondering if I need to assign an access-list in the dmz in order to allow return traffic back out from the dmz to the initiating connection on the public side.

static (dmz,outside) 5.5.5.5 192.168.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 5.5.5.5 eq 80

access-list dmz permit tcp host 192.168.1.5 any eq 25

access-group outside in interface outside

access-group dmz in interface dmz

The only thing that I'm allowing from the outside is web traffic. The only thing that I'm allowing from the dmz is smtp traffic out. If a host connects from the outside to 5.5.5.5 on port 80, will I need an entry permitting the return traffic on the dmz acl, or will it allow the traffic back out automatically?

access-list dmz permit tcp host 192.168.1.1 any eq 80

Thanks,

John

HTH, John *** Please rate all useful posts ***
  • Firewalling
1 REPLY
Bronze

Re: Clarification - ASA public ip to dmz

Hi John,

You won't need to explicitly allow reply traffic in an ACL as the ASA is stateful.

Regards

James

221
Views
0
Helpful
1
Replies