Is it standard proceedure to allow internal users to access DMZ servers?

Unanswered Question
Mar 21st, 2007
User Badges:

I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:

Is it standard proceedure to allow internal users to access DMZ servers?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Wed, 03/21/2007 - 10:37
User Badges:
  • Cisco Employee,

well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...

cclinton383 Wed, 03/21/2007 - 10:48
User Badges:

Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.



abinjola Wed, 03/21/2007 - 10:54
User Badges:
  • Cisco Employee,

well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists


access-l abc permit tcp any eq 80


access-l abc deny ip any


access-l abc permit ip any any


access-g abc in interface inside


the above should be good

Actions

This Discussion