Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
1
Replies

Question about route (to and from) DMZ and Internal interface

Jason Jackal
Level 1
Level 1

‎05-16-2012 09:33 AM - edited ‎03-11-2019 04:08 PM

Folks:

I need a little help here with a question that relates more to best practice then technical.

I currently have my lab configured

192.168.3.1 (internal)         192.168.1.0/24 (DMZ)

<>-------------------------------[Firewall]------------<>

+ Currently there is no route configured from 192.168.3.0 to 192.168.1.0.

- only directly connected

- c   192.168.3.0 255.255.255.0 is directrly connected, inside

+ Currently no route configured from 192.168.1.0 to 192.168.3.0

- only directly conetect

- c   192.168.1.0 255.255.255.0 is directrly connected, dmz

+ Internal servers use NAT address to the DMZ if needed

-Example: 192.168.3.5 ->NAT-> 192.168.1.5

+There is an ACL applied on the Internal interface

- access-list DMZ extended permit ip any any

+ From internal I can PING any device in the DMZ; however, from the DMZ I cannot ping any device on the 192.168.3.0/24 subnet, due to route not created.

My main question – is this safe since the DMZ does not have an route to the Internal network?

Thanks.

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎05-16-2012 09:50 AM

Can you share the configuration, that would determine if a I route is needed or not.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card