I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?
Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?
What is the actual config to do this on your firewall ?
Are you experiencing any connectvity problems ?
As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.
Only if you wanted to
a) restrict outbound traffic from DMZ
b) allow traffic from DMZ to a higher security interface such as the inside
I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...