Ip address outside 192.168.0.1 255.255.255.0
Ip address inside 192.168.100.1 255.255.255.0
Ip address internet 192.168.20.1 255.255.255.0
Ip address dmz30 192.168.30.1 255.255.255.0
Ip address dmz40 192.168.40.1 255.255.255.0
Ip address dmz50 192.168.50.1 255.255.255.0
I am not allowed to use the outside interface for the Internet because my customer considers his lease line connection to a commercial vendor (outside interface) less secure than the Internet.
I only want inside and dmz40 to be able to access systems on the outside interface. I only want dmz50 and dmz30 to access internet. I do not want internet to access outside.
What is the best (most secure) way to deny access from a higher interface to a lower interface?
Should it be done by an access rule, or by absence of a translation rule?
On my test network, I cannot connect from dmz50 to outside, apparently since my only translation for dmz50 is “static (dmz50,internet) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 0 0”
When I try to set up an access rule to deny all ip from dmz50 to outside, PDM prompts me to set up a NAT rule. I was hoping to use overkill and have a deny all access rule AND no translation. Is this possible?