11-07-2017 02:46 AM - edited 03-12-2019 04:42 AM
We have two offices (Office A and Office B) running L2L VPN setup between two ASAs. Office A has a DMZ hosting few servers. Hosts inside office A can access the servers but servers cannot access inside hosts in Office A (as expected from lower security-level to higher security-level traffic is blocked). But servers in DMZ are able to access hosts in Office B over VPN. How to limit the traffic between Office B inside hosts and Office A DMZ unidirectional?
Office A VPN Office B
Inside <------> Inside
DMZ <------- Inside
11-07-2017 08:07 AM
You could simply configure an access-list on the DMZ interface doping the packets to inside networks and allowing everything else.
11-09-2017 04:17 AM
Wouldn't it stop the communication between inside and DMZ completely?
We only want to stop DMZ servers' ability to initiate a connection.
11-09-2017 04:33 AM
The ASA is a stateful firewall so it is aware of the established connection and it will allow them.
11-23-2017 08:58 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide