A Dmz User Attempts To Access An Inside Host - Cisco 7604 Configuration Manual

Routed Mode Overview
The following steps describe how data moves through the FWSM (see
1.
2.
3.

A DMZ User Attempts to Access an Inside Host

Figure 5-5
Figure 5-5
Inside
User
10.1.2.27
The following steps describe how data moves through the FWSM (see
1.
2.
3.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
5-6
A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.
The FWSM receives the packet and because it is a new session, the FWSM verifies if the packet is
allowed according to the security policy (access lists, filters, AAA).
The packet is denied, and the FWSM drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the FWSM employs many technologies
to determine if a packet is valid for an already established session.
shows a user in the DMZ attempting to access the inside network.
DMZ to Inside
Outside
209.165.201.2
FWSM
10.1.2.1 10.1.1.1
Web Server
10.1.1.3
A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the Internet, the private addressing scheme does not prevent routing.
The FWSM receives the packet and because it is a new session, the FWSM verifies if the packet is
allowed according to the security policy (access lists, filters, AAA).
The packet is denied, and the FWSM drops the packet and logs the connection attempt.
DMZ
Chapter 5 Configuring the Firewall Mode
Figure 5-4):
Figure 5-5):
OL-20748-01