Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX DMZ Design Help

I am trying to design a new DMZ. I have two internal subnets 172.16.0.0/16 and 192.168.9.0/24. My DMZ is going to be 172.28.2.192/28. For now I will have 1 web server in the DMZ with ports 80 and 443 needed in. I also want to allow the server in the DMZ to talk to two internal servers as well as respond to pings. I do have an ACL restricting outbound traffic from the inside, so I will need to allow the inside to talk to the DMZ as well. Here is what I have built thus far for config (on paper). Any advice or recommendations would be appreciated.

static (inside,DMZ) 172.16.0.0 172.16.0.0

static (inside,DMZ) 192.168.9.0 192.168.9.0

static (DMZ,outside) 12.34.44.XX 172.28.2.196

access-list DMZ permit host 172.28.2.196 host 172.16.0.17 (to talk with server A on inside)

access-list DMZ permit host 172.28.2.196 host 172.16.0.16 (to talk with server B on inside)

access-list DMZ permit icmp host 172.28.2.196 172.16.0.0 255.255.0.0 (allow ICMP to inside)

access-list DMZ permit 172.16.0.0 255.255.0.0 any (allow inside to talk with DMZ?)

access-list DMZ permit tcp any 172.28.2.196 eq 80 (allow port 80 from inside and outside?)

access-list DMZ permit tcp any 172.28.2.196 eq 443 (allow port 443 from inside and outside?)

access-list outside permit tcp any 12.34.44.X eq 80 (allow outside world into nat'd address for DMZ server)

access-list outside permit tcp any 12.34.44.X eq 443 (allow outside world into nat'd address for DMZ server)

access-list inside permit any 172.28.2.0 255.255.255.XX (allow inside into DMZ)

access-groups XXXXX

Does this look it will work? What am I missing?

Thanks alot.

1 REPLY

Re: PIX DMZ Design Help

Hi ...

according to your requirements you got it 90+ right .. I would suggest the following changes though

access-list DMZ permit ip host 172.28.2.196 host 172.16.0.17 (to talk with server A on inside)

access-list DMZ permit ip host 172.28.2.196 host 172.16.0.16 (to talk with server B on inside)

access-list DMZ permit icmp host 172.28.2.196 172.16.0.0 255.255.0.0 (allow ICMP to inside)

you don't need the other entries from the DMZ access-list

access-list inside permit ip any 172.28.2.0 255.255.255.XX (allow inside into DMZ)

NOTE: this allows all outbound access to the We servers and so you might want to lock it down to the access you required only .. i.e icmp, 80, 443

Appart from that .. you should be OK

I hope it helps .. please rate it if it does !!!

152
Views
5
Helpful
1
Replies
CreatePlease to create content