• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

Secure DMZ config

I am runnning a Pix 515E and I just added the 3rd interface for a DMZ for the company web server.  I need this server to be accessible from my private network because I run damware for remote connectivity and I need it to be backed up via Veritas Netbackup plus it should have access to get out on the internet.
I understand how to do this but I called Cisco to get their opinion and here is what they reccommended:
Now it does work but is it secure?  This gives my DMZ access to both servers completely versus limiting it by protocol.  
Can anyone give me a hand please?

Static Entries:
static (inside,DMZ) netmask 0 0  <--  Static entry to my DC
static (inside,DMZ) netmask 0 0  <--  Static entry to my Veritas Server


access-list dmz-in permit ip host host
access-list dmz-in permit ip host host
access-list dmz-in deny ip any
access-list dmz-in permit ip any any

1 Solution
Yep, that's pretty much standard fare.
Unless you know exactly which ports are required for Dameware and for Veritas, you can't really lock them down much more than that.

If you do know the specific ports, then you can lock down the acl a bit better, i.e.

access-list dmz-in permit tcp host host eq <port>

You still need to include both the deny and the permit ip any any.

rick_me27Author Commented:
Thanks for the info lrmoore.  That's kinda what I thought but I needed to confirm.  Just doesn't seem secure to allow a public server full access to two servers on my LAN.  I'll find out port numbers for those apps and I guess I need to allow 53 for DNS for web access.  I'll play with it in the morning.  Thanks again.  Have a good one.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now