A DeMilitarized Zone (DMZ) is a part of a network separated from other systems by a Firewall which allows only certain types of network traffic to enter or leave. A DMZ or perimeter network is a network area (a subnetwork) that sits between an organisation's internal network and an external network, usually the Internet. For example, Public web servers might be placed in such a DMZ. With the DMZ approach, large companies with complex e-commerce Internet and extranet applications may have a two-tiered approach to firewall security.
A DMZ network enables Internet users to access the public servers of a company, which includes web servers and FTP servers.
The DMZ network maintains the security for a company's private LAN.
The configuration of the DMZ in the device can be broadly divided into these three parts:
- Interface Security Level Traffic is allowed from a higher security interface to a lower security interface by default. But, the reverse case is blocked.
Each interface has a unique name and security level that you can change using the nameif command. By default, Ethernet0 is named outside and assigned the level security 0. Ethernet1 is named inside with the level security 100.The default security level of perimeter interfaces starts at security 10 for Ethernet2 (DMZ interface). You can choose any unique security level between 1 and 99 for a perimeter interface.
For more information on interface name and security level, refer to the Changing Interface Names or Security Levels section of Establishing Connectivity.
- Translation Rules Translation rules can be dynamic nat, global, or static.
- Traffic Permission Rules Traffic Permission rules are access-list and access-group rules applied in the configuration of the firewall to permit the traffic to go through the interface.
For more information on the DMZ configuration, refer to DMZ Configuration in ASA using ASDM and Mail Server Access on the DMZ Configuration Example.
Client Location on Network with PIX