No, I have the Security+ license. I was just confused as to the way that the ASA treats internal traffic.

----- Original Message ----
From: ""
Sent: Friday, October 19, 2007 11:00:03 AM
Subject: firewall-wizards Digest, Vol 18, Issue 10

Send firewall-wizards mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: DMZ to INSIDE Communication (Anthony)
2. Ramifications from increasing IPsec SA or rekey times?
(Christopher J. Wargaski)


Message: 1
Date: Mon, 15 Oct 2007 18:05:22 -0500
From: Anthony
Subject: Re: [fw-wiz] DMZ to INSIDE Communication
To: Firewall Wizards Security Mailing List

Message-ID: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

So you weren't running into the issue of the base license not allowing
DMZ initiated traffic to the inside network?

"With the Base platform, communication between the DMZ VLAN and the
Inside VLAN is restricted: the Inside VLAN is permitted to send traffic
to the DMZ VLAN, but the DMZ VLAN is not permitted to send traffic to
the Inside VLAN."


chris mr wrote:
> Thanks for your help...
> I had to add another static into the ASA and ACL on DMZ in.
> = 12.x.x.x
> EXCHANGE1 = natted ip of Exchange on inside
> static (inside,DMZ) tcp 12.x.x.x smtp EXCHANGE1 smtp netmask
> __________________________________________________ __________________________________
> Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
> _______________________________________________
> firewall-wizards mailing list


Message: 2
Date: Tue, 16 Oct 2007 14:29:45 -0500
From: "Christopher J. Wargaski"
Subject: [fw-wiz] Ramifications from increasing IPsec SA or rekey
Content-Type: text/plain; charset=ISO-8859-1


I am investigating what the ramifications are for increasing the SA
life or rekey time on an IPsec VPN. Certainly the longer the same SA
stays around, the longer the Wiley Wacker has to break my key.

Does anyone know of some documents suggesting vulnerabilities from
or ramifications of increasing the SA lifetime or rekey time?


firewall-wizards mailing list

End of firewall-wizards Digest, Vol 18, Issue 10

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
firewall-wizards mailing list