An Outside User Visits A Web Server On The Dmz - Cisco FirePOWER ASA 5500 series Configuration Manual

Routed Mode Overview
4.
5.
6.

An Outside User Visits a Web Server on the DMZ

Figure 15-3
Figure 15-3
Inside
The following steps describe how data moves through the security appliance (see
1.
2.
Cisco Security Appliance Command Line Configuration Guide
15-4
The security appliance then records that a session is established and forwards the packet from the
outside interface.
When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the global destination
address to the local user address, 10.1.2.27.
The security appliance forwards the packet to the inside user.
shows an outside user accessing the DMZ web server.
Outside to DMZ
User
Outside
209.165.201.2
10.1.2.1 10.1.1.1
Web Server
10.1.1.3
A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the classifier "knows" that
the DMZ web server address belongs to a certain context because of the server address translation.
Dest Addr Translation
209.165.201.3
DMZ
Chapter 15 Firewall Mode Overview
10.1.1.13
Figure 15-3):
OL-10088-01