Routed Mode Overview
3.
4.
5.
6.
An Inside User Visits a Web Server on the DMZ
Figure 15-3
Figure 15-3
Inside
User
10.1.2.27
The following steps describe how data moves through the security appliance (see
1.
2.
Cisco Security Appliance Command Line Configuration Guide
15-4
The security appliance translates the destination address to the local address 10.1.1.3.
The security appliance then adds a session entry to the fast path and forwards the packet from the
DMZ interface.
When the DMZ web server responds to the request, the packet goes through the security appliance
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the local source address
to 209.165.201.3.
The security appliance forwards the packet to the outside user.
shows an inside user accessing the DMZ web server.
Inside to DMZ
Outside
209.165.201.2
10.1.2.1
10.1.1.1
Web Server
10.1.1.3
A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
DMZ
Chapter 15
Firewall Mode Overview
Figure
15-3):
OL-12172-03