Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

Help shaping firewall rules:

thecoffeeguy
Level 1
Level 1

‎04-12-2007 08:11 AM - edited ‎03-11-2019 02:59 AM

I have recently started work for a new company and have taken over the ASA 5510 Firewall rules. I have worked with them a bit in the past, but not enough to say I am very strong or a master.

Anyway, after taking a look at the firewall rules, I was horrified with what I found. Basically, the DMZ has full access to the LAN and vice versa.

Talking with the management, I asked if we could change this because this is a huge security concern.

They finally gave me permission, but now I am in a position of:

where do I start?

how do I maximize security?

I am in the process of mapping the servers in the DMZ, what services they run, their IP's and what they need.

Does anyone have some suggestions on how to go about this?

Right now, there is one Windows server and 3 Mac OS X servers in there, hosting FTP and HTTP/HTTPS.

They should only need to come into the LAN to query our DNS server, as well as port 80 to our winupdate server for patches.

Anyone want to help me get started? I feel overwhelemed.

Thx.

Labels:
0 Helpful
2 Replies 2

vkapoor5
Level 5
Level 5

‎04-18-2007 12:33 PM

As per your explanation, I understood that DMZ has equal security level as inside (LAN) network. Then, your configuration must contain the command " same-security-traffic permit inter-interface". You should remove this command by saying that "no same-security-traffic permit inter-interface" in the global mode of ASA. Then modify the security level of DMZ slightly lower than inside network. Now, the networks in the DMZ could not access the inside network. As per your requirement, you can put ACL's to allow the needed traffic to come inside into LAN.

0 Helpful

jmia
Level 7
Level 7

‎04-18-2007 09:19 PM

Hi Jason,

You may find the following document useful,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

The above document shows access to mail server in the DMZ; but I am sure you could modify this with your requirements for your services!

Good luck and hope the above helps a little, if it does please rate posts!!

Jay

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card