From my test, I think the answer is no but I wanted to get clarification. In the below config, I'm wondering if I need to assign an access-list in the dmz in order to allow return traffic back out from the dmz to the initiating connection on the public side.
access-list outside permit tcp any host 126.96.36.199 eq 80
access-list dmz permit tcp host 192.168.1.5 any eq 25
access-group outside in interface outside
access-group dmz in interface dmz
The only thing that I'm allowing from the outside is web traffic. The only thing that I'm allowing from the dmz is smtp traffic out. If a host connects from the outside to 188.8.131.52 on port 80, will I need an entry permitting the return traffic on the dmz acl, or will it allow the traffic back out automatically?
access-list dmz permit tcp host 192.168.1.1 any eq 80
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...