Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is it standard proceedure to allow internal users to access DMZ servers?

I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:

Is it standard proceedure to allow internal users to access DMZ servers?

3 REPLIES
Cisco Employee

Re: Is it standard proceedure to allow internal users to access

well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...

New Member

Re: Is it standard proceedure to allow internal users to access

Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.

Cisco Employee

Re: Is it standard proceedure to allow internal users to access

well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists

access-l abc permit tcp any eq 80

access-l abc deny ip any

access-l abc permit ip any any

access-g abc in interface inside

the above should be good

101
Views
0
Helpful
3
Replies