Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
1
Replies

restricting dmz access to inside

kelvindam
Level 1
Level 1

‎03-21-2006 02:03 AM - edited ‎03-09-2019 02:20 PM

Hi all,

Having static nat'ed inside to DMZ like this :

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(Where 192.168.1.0 is the inside network)

My issue is that I dont see any hits on my access-list bound to the access-groups on the two interfaces, even though traffic is flowing fine.

Question is - does the full network-nat make the acl for those two interfaces obsolete?

Kind regards

Labels:
0 Helpful
1 Reply 1

thamdani
Cisco Employee
Cisco Employee

‎03-21-2006 02:55 AM

Hi,

No matter what if the access list if applied to the interface,it will be first thing Pix will lookinto.

Access list is matched first and the translation rule.So when the packet comes into the pix interface and we have access list applied to that interface,pix will first check if the traffic is permitted or denied ,If its denied then it will drop it and if permitted then it will check for the translation rule.

Important : access list is not checked for the return traffic ,pix looks into other things like translation,connection entry,sequence numbers etc. for the return traffic.

Check if the access list is applied properly on the interface

Hope this helps.

Tanveer

0 Helpful
Customers Also Viewed These Support Documents