Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list on DMZ

I want to allow a selective access from DMZ to inside. So I created an access list like:

Access-list dmz permit tcp host <dmzhost> host <insidehost> eq http

Access-group dmz in interface dmz

DMZ hosts also need full outgoing connectivity to outside.

Questions:

Do I have to allow outgoing traffic from DMZ to outside in this access-list?

So this access-list seems to have two features:

1. allows access to higher security interface

2. restricts outgoing traffic from DMZ to outsided

Is it true?

4 REPLIES
New Member

Re: Access-list on DMZ

No, you have to make use of NAT and global commands for the DMZ traffic to go to the less secure Outside interface..

you may have to insert a new NAT command to allows the DMZ subnet but you can make use of the same global command that you are already using for the 'inside' subnet to go through the 'outside' interface, by using the same NAT id...

Hope this helps...

Best regards / Sampath.

New Member

Re: Access-list on DMZ

OK, but can I restrict access from DMZ to outside? I mean in more complex way –(e.g. from dmz IP to particular outside IP and /or port). Nat (inteface) command would not help in this case.

Re: Access-list on DMZ

The dmz access-list if applicable for all the traffic that enters the dmz interface. So also the traffic to the outside is limited by this access-list.

To allow traffic to the outside, you have to do two things:

- change your access-list so that is allows traffic to the outside

- use some kind of address/port translation for the hosts on the dmz (towards the outside).

Kind Regards,

Tom

New Member

Re: Access-list on DMZ

You need to be careful about ordering the access-list as follows:

FIRST – Define access from DMZ hosts to inside.

SECOND – Dis-allow any other access from the DMZ to inside.

THIRD – Allow access to outside. (either permit any or just the ports you want)

This is the only way of doing what you want...(until we get outbound access-lists)

Andrew.

227
Views
0
Helpful
4
Replies
CreatePlease to create content