Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dmz design help


I have 2 x pix515e's to setup. This is for a colo so there are no workstations/users on the lan/secured int. However i do have sql servers that i would like to keep out of the dmz from the web servers.

should i setup the pix with 3 interfaces: 1 outside, 1 dmz, and 1 secure.

i would like traffic from outside to not be allowed into the secured int but there will be several mappings from outside to dmz. also some traffic will need to be allowed to pass from the secured to dmz (can be open) and dmz to secured (this needs to be controlled).

also, these servers are all on the same domain. should i put the domain controller servers in the secured area as well?

any insights appreciated.

New Member

Re: dmz design help

Outside Interface - security level 0

DMZ interface - security level 50

Secure Interface - security level 100

Then put in specific ACLs to permit outside to DMZ and specific ACLs for DMZ to secure. Only permit into the DMZ what is needed. Nothing more. Lock it down by destination IP and port.

Traffic will automatically be permitted from higer security level to lower security level so inside can talk to DMZ and outside, etc...

Think of the DMZ as a network with the potential to be compromised because public traffic is allowed in. No public traffic is allowed into the inside secure network so that's probably where you want your domain control servers.

But like all things, it depends. Hope that helps.

CreatePlease to create content