cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
3
Replies

DMZ to Inside traffic

sqambera
Level 1
Level 1

Hello,

I want my DMZ (low security level) subnet to talk to Inside (high security level) subnet such that traffic will originate from the DMZ. I have heard that if the traffic originates from outside goes to inside, a static NAT entry should already exist on the ASA. Do I need to configure likewise static NAT in my case where I want DMZ network to talk to Inside network. Not to mention that both networks have private addressing scheme and I don't feel need to nat traffic.

Thanks in advance for answering my query.

2 Accepted Solutions

Accepted Solutions

Dinesh Moudgil
Cisco Employee
Cisco Employee

You just need to create an access-list to allow the users to communicate from DMZ(low) to Inside(high) interface and apply it on DMZ interface in inbound direction. It will only allow the returning traffic and will block the traffic initiated from Inside to DMZ.

As long as they use private IPs , there is no need for the natting.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

That's right.

I forgot to mention that since inside interface is at higher security level then DMZ, it will allow the traffic initiated from inside interface.

Thanks for mentioning :) 

Regards

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

You just need to create an access-list to allow the users to communicate from DMZ(low) to Inside(high) interface and apply it on DMZ interface in inbound direction. It will only allow the returning traffic and will block the traffic initiated from Inside to DMZ.

As long as they use private IPs , there is no need for the natting.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Many thanks Dinesh. A new thought however after looking at your reply. You said that ACL applied inbound on DMZ will allow only returning traffic from inside and will block traffic originating from inside to DMZ. I am thinking that it should  not block the traffic that is originating from inside to DMZ because it would be applied inbound on the DMZ? 

Am I missing something? 

Thanks again 

Qamber 

That's right.

I forgot to mention that since inside interface is at higher security level then DMZ, it will allow the traffic initiated from inside interface.

Thanks for mentioning :) 

Regards

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Review Cisco Networking for a $25 gift card