03-21-2007 09:26 AM - edited 03-11-2019 02:50 AM
I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:
Is it standard proceedure to allow internal users to access DMZ servers?
03-21-2007 10:37 AM
well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...
03-21-2007 10:48 AM
Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.
03-21-2007 10:54 AM
well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists
access-l abc permit tcp any
access-l abc deny ip any
access-l abc permit ip any any
access-g abc in interface inside
the above should be good
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide