Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

URGENT: Outside, DMZ and Inside routing

I am confused with applying access list in interfaces. Any helps/information links will be much appreciated.

(1)The access-list applies on interface Outside will control the incoming traffic from internet to "inside" or to "DMZ" interface?

(2)When there are outside/DMZ/inside interfaces, the incoming traffic from internet (outside interface) will be routed to which interface?

(3) When access-list is applied on DMZ interface, to which direction (inside or outside interfaces) does it control? How do I apply the command for the direction that I want?

Thanks in advance.

3 REPLIES
Gold

Re: URGENT: Outside, DMZ and Inside routing

Hi -

Pls goto the following URL, this give you examples on DMZ and applying access-group commands etc. Also, the 2nd URL has lots of examples on PIX configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Thanks -

New Member

Re: URGENT: Outside, DMZ and Inside routing

hi,

the command to apply an access-list is;

access-group in interface . So access-list controls all traffic coming into the interface regardless of where it goes to. It's the same for interface outside,DMZ or inside.

also there's a good document at link below. It is about access-lists.

http://www.giac.org/practical/GSEC/Bill_Donaldson_GSEC.pdf

hope this helps..

New Member

Re: URGENT: Outside, DMZ and Inside routing

Access-list applied to the outside interface controls traffic to the DMZ and Inside interface.

The PIX knows which interface by checking its route statements.

If an address comes in with an address that is on the DMZ, then the route statement for the DMZ interface will define this.

Example:

Data comes in for 172.17.1.5

route dmz 172.17.0.0 255.255.0.0 DMZ_Interface_IP

Data comes in for 192.168.1.5

route inside 192.168.0.0 255.255.255 Inside_Interface_IP

When an access-list is applied on the DMZ interface, it affects traffic LEAVING the DMZ. When an access-list is applied to the inside interface, it affects traffic LEAVING the inside. When an access-list is applied to the outside, it affects traffic entering the network, weather headed for the DMZ or inside, according to how you specify the destination address. If you specify ANY as the destination in an access-list applied to the outside, then this will affect data directed from outside to the dmz and inside.

hope this helps.

133
Views
0
Helpful
3
Replies
CreatePlease to create content