Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Question about route (to and from) DMZ and Internal interface

Folks:

I need a little help here with a question that relates more to best practice then technical.

I currently have my lab configured

192.168.3.1 (internal)         192.168.1.0/24 (DMZ)

<>-------------------------------[Firewall]------------<>

+ Currently there is no route configured from 192.168.3.0 to 192.168.1.0.

- only directly connected

- c   192.168.3.0 255.255.255.0 is directrly connected, inside

+ Currently no route configured from 192.168.1.0 to 192.168.3.0

- only directly conetect

- c   192.168.1.0 255.255.255.0 is directrly connected, dmz

+ Internal servers use NAT address to the DMZ if needed

-Example: 192.168.3.5 ->NAT-> 192.168.1.5

+There is an ACL applied on the Internal interface

- access-list DMZ extended permit ip any any

+ From internal I can PING any device in the DMZ; however, from the DMZ I cannot ping any device on the 192.168.3.0/24 subnet, due to route not created.

My main question – is this safe since the DMZ does not have an route to the Internal network?

Thanks.

1 REPLY
Red

Question about route (to and from) DMZ and Internal interface

Can you share the configuration, that would determine if a I route is needed or not.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
489
Views
0
Helpful
1
Replies
CreatePlease to create content