03-21-2007 09:26 AM - edited 03-11-2019 02:50 AM
I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:
Is it standard proceedure to allow internal users to access DMZ servers?
03-21-2007 10:37 AM
well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...
03-21-2007 10:48 AM
Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.
03-21-2007 10:54 AM
well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists
access-l abc permit tcp any
access-l abc deny ip any
access-l abc permit ip any any
access-g abc in interface inside
the above should be good
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: