DMZ in/out Configuration

Answered Question
Nov 18th, 2008

I have a two part question about ACL's in/out of my DMZ.

1. If I have a client on the internal interface who needs to contact a webserver in the dmz, do I need an ACL on the Internal interface, as well as an ACL on the outgoing interface of the DMZ?

2. If an Internal host needs to access http on DMZ webserver, what is ports do I allow back from the DMZ? For instance, the Internal acl uses http(s), but I am unsure of the acl back from the webserver. I don't want to use all TCP.

Thanks

I have this problem too.
0 votes

1. no; the more secure inside interface will be able to reach the less secure dmz interface. the inside should be security level 100, while the dmz should be 50-25, etc. depending on what you set it too;

just watch your nat's. You'll probably need to adjust nat (inside) 0 access-list somelist to include the private ip from inside to the dmz ip's

etc.

10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0

2. nothing. you dont need to allow anything back... that is the best part! all traffic will statefully be allowed back in. the only thing the ACL on the DMZ needs to permit is original connections; this could be bes server in a dmz going back to an internal sql server, a dmz server going out to symantec to do a virus update, etc.

there should always be an acl with a deny any any (log) applied in the dmz interface. log if you want to see what the dmz servers are trying to do ;)

Remember the whole point of the dmz is to isolate the servers in a secure "jail". they only talk to the hosts you permit them to. PERIOD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

1. no; the more secure inside interface will be able to reach the less secure dmz interface. the inside should be security level 100, while the dmz should be 50-25, etc. depending on what you set it too;

just watch your nat's. You'll probably need to adjust nat (inside) 0 access-list somelist to include the private ip from inside to the dmz ip's

etc.

10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0

2. nothing. you dont need to allow anything back... that is the best part! all traffic will statefully be allowed back in. the only thing the ACL on the DMZ needs to permit is original connections; this could be bes server in a dmz going back to an internal sql server, a dmz server going out to symantec to do a virus update, etc.

there should always be an acl with a deny any any (log) applied in the dmz interface. log if you want to see what the dmz servers are trying to do ;)

Remember the whole point of the dmz is to isolate the servers in a secure "jail". they only talk to the hosts you permit them to. PERIOD

jgorman1977 Tue, 11/18/2008 - 08:49

I do have another question. I need to ping from our internal 10.0.0.0/16 to our dmz 172.16.110.0/24. I have natt'ed static (Internal,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

I have an allow icmp rule from DMZ in, but still cannot ping between the networks.

make sure your inspection policy remembers to catch and permit those statless little echo replies;

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

this is the preferred way to do this... the old way would be

access-list dmz-in permit icmp any any echo-reply

access-group dmz-in in interface dmz

-Joe

Actions

This Discussion