Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Anti-spoofing disrupting inside to dmz traffic

Status
Not open for further replies.
JMCraig

JMCraig

Programmer
Feb 20, 2002
217
US
Hi Folks,

I've got the basic 5505 license (so boxes on the dmz interface cannot initiate connections to boxes on the inside interface--traditional dmz setup). But, with anti-spoofing enabled on the outside interface, I also can't initiate traffic from a box on the inside interface to a dmz box. (And that should be possible, shouldn't it?)

Do I just need a static route from inside to dmz or what?

Thanks much!

John Craig
Alpha-G Consulting, LLC
 
Sort by date Sort by votes
With the basic license you can't pass any traffic between the DMZ and inside interfaces.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
PScottC,
That's not entirely true. You cannot initiate traffic to the inside from the DMZ, but it will respond to traffic initiated from the inside.

JMCraig,
If you turn off the anti-spoof, does it work as you want? You can do all the anti-spoof by setting up proper ACL's and nat-control properly.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks for the clarification, Supergrrover. How does that affect UDP traffic, like tftp where there may be some responses? Is it based on the application inspection policies?

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Yes, with the anti-spoofing disabled, I can get from inside boxes to the services hosted on the dmz boxes. But I'm not clear on how ACLs and NAT control can compensate for anti-spoofing being disabled. (But maybe I'm not very clear on the whole issue.) In the docs on Anit-Spoofing, it says "For any traffice that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information"--right, like that standard is going to help me get it set up.... So, it seems like I just need to have a static NAT entry of the appropriate type--but I'm not clear on what that would be.

I only turned on anti-spoofing on the outside interface, but when I have that enabled, traffic originating on the inside interface gets blocked on the way to the dmz interface--huh?

John

John Craig
Alpha-G Consulting, LLC
 
Upvote 0 Downvote
ok, I'll call strange. Can you post a scrubbed config?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
284
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
96
kythri
kythri
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
230
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top