I'm trying to setup my company firewall to allow connections that is described as:
OUTSIDE IPs are: A and B These are NATed to the INSIDE and the DMZ
The firewall should operate as followed: OUTSIDE to DMZ allow SMTP OUTSIDE to INSIDE allow SMTP and HTTPS DMZ to INSIDE allow LDAP and SMTP
All traffic going from INSIDE to DMZ, INSIDE to OUTSIDE, and DMZ to OUTSIDE is permitted.
After reading the Cisco ASA and PIX Firewall Handbook, I created 6 access lists; an Inbound and an Outbound for each interface. As I understand it, the Inbound access list for the DMZ interface controls connections originating from the DMZ to the INSIDE as well as connections originating from OUTSIDE to the DMZ, which is very confusing. This didn't work, despite the logic being correct. Every behavior was correct except that I couldn't access OUTSIDE from DMZ on any port. The security levels listed from lowest to highest are OUTSIDE->DMZ->INSIDE.
Then, I decided to only have 2 access lists. One would permit SMTP and HTTPS from A to the INSIDE address and it would also permit SMTP from B to the DMZ address. That one was applied to the OUTSIDE interface on the Inbound traffic. The other access list would Allow LDAP and SMTP from the DMZ to the INSIDE and at the same time take on the role of the outbound access list and allow HTTP, HTTPS, SMTP, and DOMAIN from the DMZ to the OUTSIDE. This access list was applied to the DMZ interface on the Inbound traffic.
My question is: How is it possible for the Inbound access list on the DMZ interface to affect the Outbound traffic? If I took the lines that explicitly allow outbound traffic from the DMZ to the OUTSIDE off the DMZ access list, outbound requests break.
Any help or insight would be very appreciated.
Vince