Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

restricting dmz access to inside

Hi all,

Having static nat'ed inside to DMZ like this :

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(Where 192.168.1.0 is the inside network)

My issue is that I dont see any hits on my access-list bound to the access-groups on the two interfaces, even though traffic is flowing fine.

Question is - does the full network-nat make the acl for those two interfaces obsolete?

Kind regards

1 REPLY
New Member

Re: restricting dmz access to inside

Hi,

No matter what if the access list if applied to the interface,it will be first thing Pix will lookinto.

Access list is matched first and the translation rule.So when the packet comes into the pix interface and we have access list applied to that interface,pix will first check if the traffic is permitted or denied ,If its denied then it will drop it and if permitted then it will check for the translation rule.

Important : access list is not checked for the return traffic ,pix looks into other things like translation,connection entry,sequence numbers etc. for the return traffic.

Check if the access list is applied properly on the interface

Hope this helps.

Tanveer

102
Views
0
Helpful
1
Replies