Question about route (to and from) DMZ and Internal interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2012 09:33 AM - edited 03-11-2019 04:08 PM
Folks:
I need a little help here with a question that relates more to best practice then technical.
I currently have my lab configured
192.168.3.1 (internal) 192.168.1.0/24 (DMZ)
<>-------------------------------[Firewall]------------<>
+ Currently there is no route configured from 192.168.3.0 to 192.168.1.0.
- only directly connected
- c 192.168.3.0 255.255.255.0 is directrly connected, inside
+ Currently no route configured from 192.168.1.0 to 192.168.3.0
- only directly conetect
- c 192.168.1.0 255.255.255.0 is directrly connected, dmz
+ Internal servers use NAT address to the DMZ if needed
-Example: 192.168.3.5 ->NAT-> 192.168.1.5
+There is an ACL applied on the Internal interface
- access-list DMZ extended permit ip any any
+ From internal I can PING any device in the DMZ; however, from the DMZ I cannot ping any device on the 192.168.3.0/24 subnet, due to route not created.
My main question – is this safe since the DMZ does not have an route to the Internal network?
Thanks.
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2012 09:50 AM
Can you share the configuration, that would determine if a I route is needed or not.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Varun Rao
