03-28-2008 12:59 PM - edited 03-11-2019 05:23 AM
Hi, I have set up my firewall but some confusion in my mind going on. I have configured DMZ and Inside zone and both range are different and inside security level is by default 100 and DMZ is 50 but as per the default rule the higher security level zone can access lower security zone. Right? nNow look below the configuration:-
DMZ 192.168.10.0/24
Inside 10.0.0.0/24
Now i want that dmz machine could also access the inside zome machine and for this I have make a access rule but is it necessary exempt the traffic between both network (DMZ and Inside) or without exemption it will work, if it needs exempt rule then why we should make this ruke. Can anyone help me??
03-28-2008 01:50 PM
Hi Ray!
Ok, so basically if someone from the inside (10.0.0.0) wants to talk with someone on the DMZ (192.168.10.0) they do not require any access list to be created. If the DMZ wants to INITIATE communication towards the inside network it will require an access list. This is because the security level of the interface does not let the lower interface initiate communicates to higher interfaces. This is why you'll need to make rules if anything in the DMZ needs to request communications from the inside network.
I hope this assists.
03-28-2008 01:58 PM
Well I know this whatever you have mentioned in your reply. My question abt exemption rule. Is it require exemp rule between both Inside and DMZ network. Thnaks
03-28-2008 02:12 PM
I think you are referring to NAT. If you have a static translation setup between your inside to your DMZ AND your DMZ to your inside, that will work as well as a NAT exemption. You can NAT from one address to the same address. For example:
nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I hope this helps.
--Gavin Budd
03-28-2008 02:41 PM
Hi Gavin, it means I can use two way exempt rule and Nat rule. Both rule are capable to create connectivity between both networks. Thanks
03-28-2008 02:55 PM
Hi Ray
"is it necessary exempt the traffic between both network (DMZ and Inside)"
NAT exemption is not a must for achieving this. You can add the following line and apply PAT
global (inside) x interface "x is your id number"
or you can exempt it like following
static (dmz,inside) dmznetworkhere dmznetworkhere netmask 255.255.255.0
Or if you like, you can implement this via a policy nat to exempt, for specific traffic.
Regards
03-28-2008 02:50 PM
You can NAT from one address to the same address. For example:
nat (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
nat (DMZ,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I didn't understand this point.
03-28-2008 02:57 PM
What Gavin suggests is not! NAT, it is another type of applying exempt NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide