Filter
Top Products
15-6
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Chapter 15 Firewall Mode Overview
Routed Mode Overview
The following steps describe how data moves through the security appliance (see Figure 15-4):
1. A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
A DMZ User Attempts to Access an Inside Host
Figure 15-5 shows a user in the DMZ attempting to access the inside network.
Figure 15-5 DMZ to Inside
The following steps describe how data moves through the security appliance (see Figure 15-5):
1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the Internet, the private addressing scheme does not prevent routing.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Outside
Inside DMZ
92402