[PCI DSS 1.x] 1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ.

1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ.

1.3.4 Verify that internal addresses cannot pass from the Internet into the DMZ.

I am confused about this control…

Not allowing internal IPs to pass from the internet to…etc

Internal IPs are not on the internet !!
What exactly should I test in this control ??

If someone has an idea kindly advise here on to my email [email protected]


ensure that antispoof functionality is enabled.

Internal addresses passed to the internet

If you are using NAT on your boundary firewall, then internal addresses will not be passed to the internet as part of the IP Packet. The only way around using NAT on your firewall is if your internal address is routable ( i.e. not part of the 10/8, 192.168/16 etc bunch unroutable (by convention) address spaces). If you want to prove that this address translation is taking place, then put a tap & sniffer on your internet connection outside of the firewall.

Your boundary router (sitting outside the firewall) should also have rules in place that dump any of these non-routable addresses either coming in or going out…

One place where these internal addresses may appear is on your external facing web sites. If you are using NAT for your external web sites, the web site itself can indicate what it’s actual internal address is. I can’t remember the details , but it’s in one of the status messages.

You don’t want to give anyone anymore information than you have to, so it’s a good thing to disable the web feature that provides this information…