[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

DMZ connectivity !

Hi,
I just have a few questions about DMZ connectivity with Public and Inside interfaces...

If i give command static (dmz,out) out I.P dmz I.P
then would my DMZ host be able to talk to internet and internet would be able to talk to DMZ .. or do i need to add anythign extra as well ... (this is assuming acl's in inside and dmz interface allow everything )
0
nabeel92
Asked:
nabeel92
  • 5
  • 4
1 Solution
 
memo_tntCommented:
hi
yes it's highly recommended to assign ACL to filter traffic in/out ur DMZ, so u can keep ur DMZ network away from any possible attack ..

BR
0
 
nabeel92Author Commented:
yes i know about the ACL ... but my question is that is the above static command enough to ensure
1. From Internet to DMZ servers connectivity
2. From DMZ serves to internet connectivity ?
0
 
nabeel92Author Commented:
static (dmz,outside) outside I.P DMZ I.P
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
memo_tntCommented:
what's ur device model ? if PIX::
the static command maps an internal private ip address to an external
official ip address. Access-Lists define the access from the untrusted
external device to your DMZ device.

Use this Example to define your smtp & pop3 traffic:

static (dmz,outside) External_NAT_IP DMZ_IP netmask 255.255.255.255
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 25
access-list acl_outside permit tcp host External_SMTP_POP3_Client host
External_NAT_IP eq 110

BR

0
 
nabeel92Author Commented:
my question is still the same ... u've given answer but the not the one am looking for ;)

considering that my acl allows everything in to dmz (leaving recommendation aside for a second) ... will the above static command ensure i am able to establish connectivith both ways ... from dmz to internet as well as from internet do dmz  ?

static (dmz,outside) outside I.P DMZ I.P

 or do i have to add other commands as well ?
0
 
nabeel92Author Commented:
am using pix 525E with IOS 8.0 .. so its essentially an ASA ...
0
 
memo_tntCommented:
yes u can
this how it should be:
static (DMZ,outside) xxx.xxx.xxx.x y.y.y.y netmask 255.255.255.255
access-list acl_outside permit ip any nay
access-group acl_outside in interface DMZ

BR
0
 
nabeel92Author Commented:
thanks for that :)

If i may also ask do we need to give the command on pix ...
route dmz x.x.x.x x.x.x.x dmz interface i.p

coz its already directly connected interface ... so shud we define a static route to the dmz ? i mean ive seen in configs ppl have defined it but when i enter, it returns an error tht its directly connected (rightly so ) so whats the point in having a static route to dmz ?
0
 
memo_tntCommented:
yes that's should be right
route dmz x.x.x.x 255.255.255.0 y.y.y.y

try and reply
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now