to allow access from dmz to inside

prashantrecon · ‎04-19-2012

inside -172.16.x.x

dmz- 192.168.x.x

inside security level-100

dmz- 50

By default inside should be able to access dmz as no nat-control is enabled.

now dmz should be able to access inside.

I have used as access-list dmzin permit 192.168.x.x any

access-group in interface dmzin in interface dmz

is there any alternative to above solution ?

varrao · ‎04-19-2012

Hi Prashant,

Is it working fine for you?? I am not exactly able to understand what you really are looking for?

For allowing traffic you would definitely need the access-list that you applied while going from lower security to higher security level.

Varun

Thanks,
Varun Rao

prashantrecon · ‎04-20-2012

Hi varun,

Above access-list is working fine , But I have seen most oftmaking use of

static( inside,dmz) 172.16..x.x 172.16.x.x. netmask 255.255.255.255

access-list is applied on dmz

can u explain me how does this nat works

varrao · ‎04-20-2012

Hi Prashant,

The static statement is a self nat statement, which means if the users in the DMZ tried to access the server 172.16.xx.xx, the server IP would be translated to its own IP itself, which is a correct static statement.

Thanks,

Varun

Thanks,
Varun Rao

prashantrecon · ‎04-20-2012

just for example

assune inside network - 172.16..x.x

dmz network-- 192.168.1.x

Say dmz should be able to access inside network server ex 172.16.101.5

access-list dmzin permit tcp any host 172.16.101.5 eq 80

access-group dmzin in interface dmz.

does the access list works