Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

rvv
New Member

DMZ to INSIDE. Is this right?

Hi all!

Our clients need web server that work for inside and outside.

How to make it right? When you open port from DMZ to INSIDE this is potentialy unsafe.

How to make this safe ? :)

6 REPLIES
Silver

Re: DMZ to INSIDE. Is this right?

Well, if mean that you want inside to communicate with the DMZ webserver all you need is PAT for inside hosts to DMZ. This won't require to open a port from DMZ to inside because the connection is comming from higher level of security to lower level of security.

Let me know if this answers your question,

Appreciate your rating,

rvv
New Member

Re: DMZ to INSIDE. Is this right?

No , i mean that i need DMZ servers communicate to Inside.

Re: DMZ to INSIDE. Is this right?

Hi,

If your server will INITIATE the connections to inside users, it is not safe, since a malitious code from the outside can use this server as a proxy to gain access to inside.

The idea of DMZ is that this will only accept connections.

What can you do is to limit the access this server has to inside LAN, or to move any required accesed services to DMZ as well.

Check Email section on the following page with useful links:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor10

Please rate if this helped.

Regards,

Daniel

rvv
New Member

Re: DMZ to INSIDE. Is this right?

Hi!

Yes, my server will initiate connections to inside. I'am already limit access this server has, but still try to finding solution for this problem. This is common scenario in this company - one server for inside and outside users.

Maybe you know how to achive this safely?

Re: DMZ to INSIDE. Is this right?

Hi,

This is the safest as you can get.

Make sure you have Anti Virus, Firewall and so on on the DMZ server.

With static command on the PIX you can specify the maximum number of connections to the server, so that you prevent a DoS to it from the internet.

Outside users will be filtered to be allowed only the right ports.

You can as well activate PIX IPS for the DMZ interface.

Please rate if this helped.

Regards,

Daniel

rvv
New Member

Re: DMZ to INSIDE. Is this right?

Hi!

I already make this all.

But i want to know does anyone deploy this configuration? Maybe there is common issues how to minimize risk?

199
Views
0
Helpful
6
Replies