Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Preventing DMZ access to proxy server

PIX 515E FOS 6.22. 3 interfaces, inside, outside & DMZ. Default route set to router other side of ouside interface. ACL set to allow proxy server outbound to any IP on ports 80 and 443 for internet access. Need to prevent proxy accessing the DMZ. Will a deny statement for the DMZ segment before the ACL allowing all outbound traffic prevent access to DMZ? Or is there a better way of doing this?

3 REPLIES
Gold

Re: Preventing DMZ access to proxy server

Hi Gary,

If don't want the proxy accessing DMZ then (as you said) can create ACL on the DMZ denying the proxy.

For instance, on the DMZ side:

> access-list DMZ deny ip any

> access-group DMZ in interface DMZ

Hope this helps -

New Member

Re: Preventing DMZ access to proxy server

Wouldn't you do:

> access-list OUT deny ip host

> access-group OUT in interface inside

as an access list is applied to inbound traffic on an interface. And apply this before the ACL allowing it oubound via the outside interface:

>access-list OUT permit tcp host 0 0 eq 80

Regards

Gary

New Member

Re: Preventing DMZ access to proxy server

Sorry, I meant:

> access-list OUT deny ip host

> access-group OUT in interface inside

as an access list is applied to inbound traffic on an interface. And apply this before the ACL allowing it oubound via the outside interface:

>access-list OUT permit tcp host any eq 80

Regards

Gary

91
Views
0
Helpful
3
Replies