Inside to DMZ communication

James,

Thats very interesting thanks for sharing, the way i would have done it was with policy NAT0. Just a question, does this mean that the DMZ can route traffic to the inside if the necessary access-list are in place on the DMZ interface ?

Yes. Here is an example of my PIX configuration at home.

[/qoute]

So, just to clarify;

[code:1]The static(inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0[/code:1]

does or doesn't allow DMZ traffic flow to the inside providing their are access-lists in place to allow it ?

So, just to clarify;

[code:1]The static(inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0[/code:1]

does or doesn't allow DMZ traffic flow to the inside providing their are access-lists in place to allow it ?

It will allow traffic to originate from the dmz to the internal network if you specifically allow it via an access-list on the dmz interface.

If you do not have an access-list on the dmz interface the firewall will not allow traffic to originate from the dmz to the internal network.

Better?

Thanks, thats what i thought. Learned something new there however i would say that doing it using Policy NAT0 would be much more secure since it would rely on specific static commands being specifically entered to allow communication originating from the DMZ. Generally, the DMZ Segment shouldn't allow direct communication to the whole of the inside network, only direct communication to specific hosts (i.e. Webserver in DMZ to backend SQL Server in the inside network).

This also helps with missconfiguration, using the static command in the manor highlighted would then result in a miss-configuration in the ACL possibly causing some serious consequence however if you had to configure ACL's and specific Static commands to allow specific hosts to communication internally then you would need to purposly configure the static and missconfigure the ACL which is less likely.

Well, thats just my opinion, that said, i am fairly comfortable with ACLs so its worth knowing that you can do that with a static command and i may start using it myself...

Thanks very much for bringing this to the forum, its been a very interesting concept for me to learn........always learning about the Pix........

Moved.