A Dmz User Attempts To Access An Inside Host - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 15 Firewall Mode Overview
3.

A DMZ User Attempts to Access an Inside Host

Figure 15-6
Figure 15-6
Inside
10.1.2.27
The following steps describe how data moves through the security appliance (see
1.
2.
3.
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump
in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
•
•
OL-10088-01
The packet is denied, and the security appliance drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
shows a user in the DMZ attempting to access the inside network.
DMZ to Inside
Outside
209.165.201.2
10.1.2.1 10.1.1.1
User Web Server
A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the internet, the private addressing scheme does not prevent routing.
The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
The packet is denied, and the security appliance drops the packet and logs the connection attempt.
Transparent Firewall Network, page 15-8
Allowing Layer 3 Traffic, page 15-8
DMZ
10.1.1.3
Cisco Security Appliance Command Line Configuration Guide
Transparent Mode Overview
Figure 15-6):
15-7