rick_me27
asked on
Secure DMZ config
I am runnning a Pix 515E and I just added the 3rd interface for a DMZ for the company web server. I need this server to be accessible from my private network 172.28.1.0/24 because I run damware for remote connectivity and I need it to be backed up via Veritas Netbackup plus it should have access to get out on the internet.
I understand how to do this but I called Cisco to get their opinion and here is what they reccommended:
Now it does work but is it secure? This gives my DMZ 10.10.10.0/24 access to both servers completely versus limiting it by protocol.
Can anyone give me a hand please?
Static Entries:
static (inside,DMZ) 172.28.1.3 172.28.1.3 netmask 255.255.255.255 0 0 <-- Static entry to my DC
static (inside,DMZ) 172.28.1.4 172.28.1.4 netmask 255.255.255.255 0 0 <-- Static entry to my Veritas Server
ACL:
access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.3
access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.4
access-list dmz-in deny ip any 172.28.1.0 255.255.255.0
access-list dmz-in permit ip any any
I understand how to do this but I called Cisco to get their opinion and here is what they reccommended:
Now it does work but is it secure? This gives my DMZ 10.10.10.0/24 access to both servers completely versus limiting it by protocol.
Can anyone give me a hand please?
Static Entries:
static (inside,DMZ) 172.28.1.3 172.28.1.3 netmask 255.255.255.255 0 0 <-- Static entry to my DC
static (inside,DMZ) 172.28.1.4 172.28.1.4 netmask 255.255.255.255 0 0 <-- Static entry to my Veritas Server
ACL:
access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.3
access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.4
access-list dmz-in deny ip any 172.28.1.0 255.255.255.0
access-list dmz-in permit ip any any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
-Rick