Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
6
Replies

Extending DMZ inside the network???

tat
Level 1
Level 1

‎05-09-2002 07:28 AM - edited ‎03-08-2019 10:34 PM

Hello. My question is: how to connect servers located inside the network to DMZ (beside the separate physical link)?

We encountered the problem when it is physically not possible to move DMZ servers close to PIX (different locations/ buildings ).

As crazy as it sounds, but how can I securely!!! extend DMZ into inside network?

Thanks in advance

Labels:
0 Helpful
6 Replies 6

e.schliesing
Level 1
Level 1

‎05-14-2002 07:46 AM

It sounds like a common problem, with a distributed network at least. If there is no way to prod the clients into central housing, you need to extend your DMZ. It depends on HOW secure you want it, really. IF you have port security, and your LAN switches have tight security, and are careful in your network architecture, you CAN extend the DMZ with VLANs, and trunking. I'd consider that your easiest option, tho if the data is of VERY sensitive nature, you'd need to get each remote location it's own switch, and basically build an entire DMZ network alongside your current one, which can get rather pricey AND complex.

HTH

Eric

0 Helpful

robertgile
Level 1
Level 1

‎05-14-2002 08:14 AM

You can create static NAT [assuming you are doing NAT] entries with access-list entries to allow only certain ports through. Below is an example:

Access-list entry:

access-list [LIST-NAME] permit [TCP or UDP] any host [IP ADDRESS] eq [PORT]

NAT Entry:

static (inside,outside) [GLOBAL IP] [PRIVATE IP] netmask 255.255.255.255 0 0

The refernce to inside and outside are the port names in your PIX, this can be changed to match your configuration.

RobertG...

0 Helpful

e.schliesing
Level 1
Level 1
In response to robertgile

‎05-14-2002 09:16 AM

thats correct, but my solution not only seperates the DMZ'd machine from the external network, but also the internal network as well, by not allowing that DMZ'd device to participate in the broadcast domain, or subnet, of the internal devices. This provides the internal network a level of protection from the DMZ, which straight NATing doesnt do. After all, thats WHY we have DMZs, isnt it?

Eric

0 Helpful

rpel
Level 1
Level 1
In response to robertgile

‎05-14-2002 09:46 AM

Robert,

your example is very useful; however, I have a question for you. Since I use PAT. I have no problem to allow outside world accessing server into my dmz.

But allowing our inside private network seems not working correctly.

This is my config.

static (dmz, outside) 204.108.101.10 172.16.101.10 for outside.

static (inside, dmz) 192.168.100.10 192.128.100.10 for inside.

global (dmz) 1 interface.

I have accesslist

Is my static for inside correct ?

Thank u.

0 Helpful

robertgile
Level 1
Level 1
In response to rpel

‎05-14-2002 12:57 PM

for PAT, I have the following lines in one of my PIXes:

global (GLOBAL) 1 63.136.96.51

global (DMZ) 1 208.145.162.35

nat (PRIVATE) 1 0.0.0.0 0.0.0.0 0 0

Just curious, what version are you running?

0 Helpful

rpel
Level 1
Level 1
In response to robertgile

‎05-14-2002 02:06 PM

Hi Robert,

I got global (dmz) 1 172.16.100.10 and nat(private) 1 0.0.0.0 0.0.0.0.

I don't have global (global). What do you need that statment for ...?

Could please you explain ... Thank u.

Our Version is 6.0(1). I believe It has a bug, from time to tim, I need to clear xlate. So what do you use ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents