03-11-2008 04:53 PM - edited 03-05-2019 09:41 PM
Hey guys, I need some help with DMZs. Here's the setup:
LAN = 10.10.30.0/24
DMZ = 10.60.60.0/24
One server at DMZ, 10.60.60.10, needs access to 10.10.30.220 on port 443. This is the only access needed from pc at DMZ to pc in the LAN. Everything will obviously need to be locked down.
This DMZ pc also needs to accept traffic on port 80 and 443 from the internet.
How would you VLAN this and specially, the access-lists?
thank you
03-11-2008 05:12 PM
Edit: You are most likely going to want to permit udp 53 out/in for DNS lookups.
access-list 101 permit ip host 10.10.30.220 host 10.60.60.10 eq 443
access-list 101 permit ip
access-list 101 permit ip
vlan access-map dmz_http
match ip address 101
action forward
vlan filter dmz_http vlan-list
03-11-2008 05:54 PM
So with this config, anything else will be denied? Meaning if I try to access anything on the LAN from the DMZ will be denied?
Also, the LAN should have total access to the DMZ, but the DMZ should be blocked from accessing anything in the LAN except the 10.10.10.30 server at the specified port.
How will this look?
03-11-2008 06:01 PM
ok then for your lan to dmz full access you'll have;
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255
you can use the other access list I posted above for your dmz to .30 server access list
EDIT: Sorry I re-read your post and realized I had you misunderstood. Based on what you have told us, your access list should resemble the following;
access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255
access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443
access-list 101 permit ip host
access-list 101 permit ip host
That will permit your entire LAN subnet to access the DMZ subnet, but only allow your DMZ to connect to the server in the lan (30.220 eq 443).
03-11-2008 07:00 PM
this looks good. Im going to apply it in a Catalyst 4506.
will this be enough for the requirements of putting an Access Gateway server in the DMZ?
The only thing this box will be doing is receive requests from internet users in port 443 and 80, authenticate them, and if success, then allow the connection to the inside server.
Assuming this DMZ server gets hacked, because it sits in the DMZ and access is completely blocked to internal LAN (except on port 443), will it be safe? In other, will this meet the requirements or properly placing this box in the DMZ?
sorry for the simple questions, but I'm learning
03-11-2008 08:10 PM
jason:
I think you may have committed a typo.
In the access list
access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255
access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443
access-list 101 permit ip host
access-list 101 permit ip host
...didn't you mean to write
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255
for the first statement?
...and...
access-list 101 permit ip host 10.60.60.10 host 10.10.30.220 eq 443
for the second statement?
Just wanna make sure...
Victor
03-11-2008 09:14 PM
mmm I see... great catch. So what will be the real final config?
03-11-2008 09:25 PM
Hi:
His config is correct, but he just got dyslexic for a moment. :-) Happens to all of us...
Just replace the first 2 statements of his access list with the 2 corrected statements I posted.
But if you like, wait for him to log back on and answer your question.
Hope I've helped you...
If so, please rate my posts
Thanks
Victor
03-12-2008 10:20 AM
great thank you
03-12-2008 02:03 PM
Victor is correct. Sorry for the typo!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: