asked on Cisco ASA with DMZ - Allow internal hosts
I have a Cisco ASA with a DMZ. I'm wondering what are some resources/ best practices on allowing internal hosts on the corporate LAN to access a host which is in the DMZ. The host in the DMZ is accessible over port 443. One question lingering, is how do you allow the host in the DMZ to access a host in the private network only when the connection is initiated by the host in the private network.
Cisco
Last Comment
max_the_king
At private side add accesslist entry to permit tcp/443 to dmz host...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Simple enough, my default Security Levels were wrong. DMZ should be 50, Inside 100, and Outside 0. This addressed my concern about preventing traffic originating in the DMZ from entering the Inside network.
https://www.youtube.com/watch?v=eeTZZN5U858
max_the_king - your comment " default on ASA inside LAN can always access DMZ, bypassing nat rules and without the need of access lists " made me think about the Security Levels.
https://www.youtube.com/watch?v=eeTZZN5U858
max_the_king - your comment " default on ASA inside LAN can always access DMZ, bypassing nat rules and without the need of access lists " made me think about the Security Levels.
yep, The higher The security level The more The zone is secure. You usually give 100 To inside and 0 to The outside interface. in The middle you may create other zones.
max
max