Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

to allow access from dmz to inside

inside -172.16.x.x

dmz- 192.168.x.x

inside security level-100

dmz- 50

By default inside should be able to access dmz as no nat-control is enabled.

now dmz should be able to access inside.

I have used as access-list dmzin permit 192.168.x.x any

access-group in interface dmzin in interface dmz

is there any alternative to above solution ?

4 REPLIES
Red

to allow access from dmz to inside

Hi Prashant,

Is it working fine for you?? I am not exactly able to understand what you really are looking for?

For allowing traffic you would definitely need the access-list that you applied while going from lower security to higher security level.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

to allow access from dmz to inside

Hi varun,

Above access-list is working fine , But I have seen most oftmaking use of

static( inside,dmz)  172.16..x.x  172.16.x.x. netmask 255.255.255.255

access-list is applied on dmz

can u explain me how does this nat works

Red

to allow access from dmz to inside

Hi Prashant,

The static statement is a self nat statement, which means if the users in the DMZ tried to access the server 172.16.xx.xx, the server IP would be translated to its own IP itself, which is a correct static statement.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

to allow access from dmz to inside

just for example

assune inside network  - 172.16..x.x

dmz network--       192.168.1.x

Say dmz should be able to access inside network server  ex  172.16.101.5

access-list dmzin permit tcp any host 172.16.101.5 eq 80

access-group dmzin in interface dmz.

does the access list works

310
Views
0
Helpful
4
Replies
CreatePlease to create content