I just worked on figuring out how to manage traffic from the Inside to the DMZ. I applied the NAT 0 to this traffic since we did not need any NAT. From here I added an access list to permit any traffic coming from the DMZ. We only have a single server there.
My question is should I lock this access list down to just necessary traffic like ICMP, FTP and HTTP or leave it wide open? I assume my only worry is if this box is compromised then it could have free rein to the inside network.
Lock it down as much as possible. The whole point of having a DMZ is that if the servers on it are compromised, your inside network is stil safe. If all access to this server is initiated from the inside, then you don't need any access-list, cause the PIX will automatically allow the return traffic back (this doesn't include ICMP actually, so you do need to allow that in if you want to be able to ping this server from the inside). Your ACL only needs to allow the traffic types that this server initiates to the inside network, if there isn't anything like that then don't specify an access-list at all.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...