Hello,

Normal statics should work.

If you want to actually use the 'nat' command, you have to ause the keyword 'outside' on the end of the nat command (when going from lower to higher security level interfaces)

Example:

nat (dmz) 1 192.168.1.0 255.255.255.0 outside

global (inside) 1 interface

--Jason

Please rate this message if it helped solve some or all of your question/issue.

Hi again,

Should i put ACL also in interface of protected network(inside)?

What are you looking to accomplish? To go from inside to dmz you will not need an acl. To go from dmz to inside, yes you will need an acl, but it would be into dmz interface.

Hi again,

I want to get from dmz to inside.

That is my question..Why i should put an ACL on in interface of dmz. By logic acl should be in interface of inside interface. As i am going to inside...

Correct me please, if i am wrong

thanks

Leo

Leo,

I understand what you are saying but you have to become familiar with how acl's are applied. When going from a lower security interface (dmz) to a higher security interface (inside) you need to have an acl. Therefore going from dmz to inside the traffic is checked against an acl "into the dmz port" as this is where the traffic needs to go to get to the inside. I suppose you could also write an acl "out of inside" interface but not usually how it's done. I don't know another way to explain it.

Hi,

Thanks for your reply.

As i know for restriction incoming traffic you should use inbound acl.For outgoing acl you should use outbound acl.

For example, i have an acl enabled on in interface of outside interface.(Because of to get web recources available for public usage)

I don't need any acl when i access from dmz and inside to outside.

I thought when i getting from dmz(lower) to inside (high) interface, i need to put permit acl in interface of inside.

Maybe you are right that i also need to put permit acl on out interface of dmz. But i can't understand why i need to put permit acl in interface of dmz?

Thanks

Leo

Leo,

Please read again what I wrote. I never said to put acl on out interface of dmz. I said if you want the dmz to access the inside you need an acl in interface dmz. Just as if you need outside to access inside you need an acl in interface outside.

Hi,

Thank you.

I understood.

regards

Leo

Hi,

Sorry for disturbing.

As you told i have put ACL in in interface of DMZ(security level 50) interface. So i have restriction from dmz to inside(security level 100). It is ok for me. But this ACl also made the restriction from dmz to outside..This is not good for me. Because for example if i need the DMZ servers to go to outside by tcp 25,i need to add permit statement in ACL for tcp 25. But it will also allow DMZ servers to initiate connection by tcp 25 to inside interface, which is not required at all...

I managed to solve it after adding some deny statements in ACl. But i am interested is there any alternate and best solution?

So i will be able to make different restrictions for outside and inside from DMZ.

thanks

It is all how you write your access-list.

1. Permit what you want inside

2. Deny everything else inside

3. Permit what you want outside

4. Explicit Deny

You can still make different restrictions to outside and to inside.