Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Exemption Rule

Hi, I have set up my firewall but some confusion in my mind going on. I have configured DMZ and Inside zone and both range are different and inside security level is by default 100 and DMZ is 50 but as per the default rule the higher security level zone can access lower security zone. Right? nNow look below the configuration:-

DMZ 192.168.10.0/24

Inside 10.0.0.0/24

Now i want that dmz machine could also access the inside zome machine and for this I have make a access rule but is it necessary exempt the traffic between both network (DMZ and Inside) or without exemption it will work, if it needs exempt rule then why we should make this ruke. Can anyone help me??

7 REPLIES
New Member

Re: Exemption Rule

Hi Ray!

Ok, so basically if someone from the inside (10.0.0.0) wants to talk with someone on the DMZ (192.168.10.0) they do not require any access list to be created. If the DMZ wants to INITIATE communication towards the inside network it will require an access list. This is because the security level of the interface does not let the lower interface initiate communicates to higher interfaces. This is why you'll need to make rules if anything in the DMZ needs to request communications from the inside network.

I hope this assists.

New Member

Re: Exemption Rule

Well I know this whatever you have mentioned in your reply. My question abt exemption rule. Is it require exemp rule between both Inside and DMZ network. Thnaks

New Member

Re: Exemption Rule

I think you are referring to NAT. If you have a static translation setup between your inside to your DMZ AND your DMZ to your inside, that will work as well as a NAT exemption. You can NAT from one address to the same address. For example:

nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I hope this helps.

--Gavin Budd

New Member

Re: Exemption Rule

Hi Gavin, it means I can use two way exempt rule and Nat rule. Both rule are capable to create connectivity between both networks. Thanks

Re: Exemption Rule

Hi Ray

"is it necessary exempt the traffic between both network (DMZ and Inside)"

NAT exemption is not a must for achieving this. You can add the following line and apply PAT

global (inside) x interface "x is your id number"

or you can exempt it like following

static (dmz,inside) dmznetworkhere dmznetworkhere netmask 255.255.255.0

Or if you like, you can implement this via a policy nat to exempt, for specific traffic.

Regards

New Member

Re: Exemption Rule

You can NAT from one address to the same address. For example:

nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I didn't understand this point.

Re: Exemption Rule

What Gavin suggests is not! NAT, it is another type of applying exempt NAT.

136
Views
0
Helpful
7
Replies
CreatePlease to create content