Is it standard proceedure to allow internal users to access DMZ servers?

cclinton383 · ‎03-21-2007

I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:

abinjola · ‎03-21-2007

well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...

cclinton383 · ‎03-21-2007

Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.

abinjola · ‎03-21-2007

well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists

access-l abc permit tcp any eq 80

access-l abc deny ip any

access-l abc permit ip any any

access-g abc in interface inside

the above should be good