Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
3
Replies

DMZ to Inside traffic

Go to solution
sqambera
Level 1
Level 1

‎07-23-2015 10:09 AM - edited ‎03-11-2019 11:19 PM

Hello,

I want my DMZ (low security level) subnet to talk to Inside (high security level) subnet such that traffic will originate from the DMZ. I have heard that if the traffic originates from outside goes to inside, a static NAT entry should already exist on the ASA. Do I need to configure likewise static NAT in my case where I want DMZ network to talk to Inside network. Not to mention that both networks have private addressing scheme and I don't feel need to nat traffic.

Thanks in advance for answering my query.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-23-2015 05:49 PM

You just need to create an access-list to allow the users to communicate from DMZ(low) to Inside(high) interface and apply it on DMZ interface in inbound direction. It will only allow the returning traffic and will block the traffic initiated from Inside to DMZ.

As long as they use private IPs , there is no need for the natting.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to sqambera

‎07-23-2015 06:35 PM

That's right.

I forgot to mention that since inside interface is at higher security level then DMZ, it will allow the traffic initiated from inside interface.

Thanks for mentioning :) 

Regards

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-23-2015 05:49 PM

You just need to create an access-list to allow the users to communicate from DMZ(low) to Inside(high) interface and apply it on DMZ interface in inbound direction. It will only allow the returning traffic and will block the traffic initiated from Inside to DMZ.

As long as they use private IPs , there is no need for the natting.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
sqambera
Level 1
Level 1
In response to Dinesh Moudgil

‎07-23-2015 06:23 PM

Many thanks Dinesh. A new thought however after looking at your reply. You said that ACL applied inbound on DMZ will allow only returning traffic from inside and will block traffic originating from inside to DMZ. I am thinking that it should  not block the traffic that is originating from inside to DMZ because it would be applied inbound on the DMZ? 

Am I missing something? 

Thanks again 

Qamber 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to sqambera

‎07-23-2015 06:35 PM

That's right.

I forgot to mention that since inside interface is at higher security level then DMZ, it will allow the traffic initiated from inside interface.

Thanks for mentioning :) 

Regards

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card