Secure DMZ config

Posted on 2005-04-27
Last Modified: 2011-09-20
I am runnning a Pix 515E and I just added the 3rd interface for a DMZ for the company web server.  I need this server to be accessible from my private network because I run damware for remote connectivity and I need it to be backed up via Veritas Netbackup plus it should have access to get out on the internet.
I understand how to do this but I called Cisco to get their opinion and here is what they reccommended:
Now it does work but is it secure?  This gives my DMZ access to both servers completely versus limiting it by protocol.  
Can anyone give me a hand please?

Static Entries:
static (inside,DMZ) netmask 0 0  <--  Static entry to my DC
static (inside,DMZ) netmask 0 0  <--  Static entry to my Veritas Server


access-list dmz-in permit ip host host
access-list dmz-in permit ip host host
access-list dmz-in deny ip any
access-list dmz-in permit ip any any

Question by:rick_me27
    LVL 79

    Accepted Solution

    Yep, that's pretty much standard fare.
    Unless you know exactly which ports are required for Dameware and for Veritas, you can't really lock them down much more than that.

    If you do know the specific ports, then you can lock down the acl a bit better, i.e.

    access-list dmz-in permit tcp host host eq <port>

    You still need to include both the deny and the permit ip any any.


    Author Comment

    Thanks for the info lrmoore.  That's kinda what I thought but I needed to confirm.  Just doesn't seem secure to allow a public server full access to two servers on my LAN.  I'll find out port numbers for those apps and I guess I need to allow 53 for DNS for web access.  I'll play with it in the morning.  Thanks again.  Have a good one.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    H3C WX5004 2 63
    Firewall attack 16 109
    centos7 firewalld udp ports 33 47
    Sonicwall Security Service questions 2 38
    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now