03-11-2019 05:58 AM - edited 02-21-2020 08:55 AM
With reference to this:
The acl configured at the end for dmz, why is it being placed inbound rather than outbound in the dmz interface? Shouldn't it be outbound because the traffic is leaving the dmz into the inside interface to access the dns?
Solved! Go to Solution.
03-11-2019 06:39 AM
Hi,
The majority of the time an ACL will be applied INbound as packets would originate inbound on the DMZ interface. If you use an outbound ACL then the packets arrive inbound on the DMZ interface, processed for NAT, inspection etc only to be dropped after the ASA has spent more resources processing it.
FYI, an example usage of an OUTbound ACL here.
HTH
03-11-2019 06:39 AM
Hi,
The majority of the time an ACL will be applied INbound as packets would originate inbound on the DMZ interface. If you use an outbound ACL then the packets arrive inbound on the DMZ interface, processed for NAT, inspection etc only to be dropped after the ASA has spent more resources processing it.
FYI, an example usage of an OUTbound ACL here.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide