Chapter 15
Firewall Mode Overview
4.
5.
6.
An Outside User Visits a Web Server on the DMZ
Figure 15-2
Figure 15-2
Inside
The following steps describe how data moves through the security appliance (see
1.
2.
OL-12172-03
The security appliance then records that a session is established and forwards the packet from the
outside interface.
When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the global destination
address to the local user address, 10.1.2.27.
The security appliance forwards the packet to the inside user.
shows an outside user accessing the DMZ web server.
Outside to DMZ
User
Outside
209.165.201.2
10.1.2.1
10.1.1.1
Web Server
10.1.1.3
A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the classifier "knows" that
the DMZ web server address belongs to a certain context because of the server address translation.
Dest Addr Translation
209.165.201.3
10.1.1.13
DMZ
Cisco Security Appliance Command Line Configuration Guide
Routed Mode Overview
Figure
15-2):
15-3