|
-
December 29th, 2005, 09:08 PM
#1
Junior Member
ACL for our DMZ
What should our ACL for our DMZ look like? Examples would be nice  The only thing in our DMZ is a mail server and web server. We have a PIX 515. Thanks!
-
December 29th, 2005, 09:21 PM
#2
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
December 29th, 2005, 09:29 PM
#3
I think this one was third or fourth:
http://www.cisco.com/en/US/products/...ps2030/ps2116/
Without the "E" 
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
December 29th, 2005, 09:55 PM
#4
The question is too vague. Please be more specific.
Example:
Here is my IP scheme for the DMZ: 10.10.10.X
I only want to allow SSH to 10.10.10.5 in the dmz. How do I do it?
Answer: permit tcp any host 10.10.10.5 eq 22
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
December 29th, 2005, 09:56 PM
#5
Member
Just configure the static NATing part and the ACL part well cant elaborate much than this,its scenario specific.dinowuff gave a good link.
cheers
bat21
 GOD BLESS YOU
-
December 29th, 2005, 10:05 PM
#6
It's really pretty simple as a concept. The DMZ is a partially secured network in that it, by it's nature, must allow public access to it's resources. Other than that which must be allowed into the DMZ from the public network and that which must be allowed in from the private network everything else should be locked in either direction. Thus the following:-
On the Public Interface
Allow SMTP from Any to DMZ
Allow HTTP from ANY to DMZ
Deny Any from Any to DMZ
Deny Any from Any to Private
On the Private Interface
Allow HTTP from Private to Public
Allow HTTP from Private to DMZ
Allow POP3 from Private to DMZ
Allow SMTP from Private to DMZ
Allow FTP from Private to DMZ, (to update Web Page)
Allow [SMTP Management Port] to DMZ
Allow [Whatever else you need] From Private to Public
Deny Any from DMZ to Private
Deny Any from Private to DMZ
Deny Any from Private from Public
You will note that nothing is allowed to the Private from the DMZ. IOW, any traffic _from_ the DMZ to the Private network is blocked. Only connections initiated from within the Private network on specific ports can be created. Same applies to the Public network.... Nothing can initiate a connection from the Public to the Private and only certain connections can be initiated from the Public to the DMZ to allow those services you provide publicly to function.
In this way you ensure that compromising the Private network is as difficult as possible since you treat the DMZ in the same way you treat the Public network..... _un_-trusted!
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 29th, 2005, 10:46 PM
#7
Member
-
December 30th, 2005, 06:00 PM
#8
Junior Member
Thanks. And very nice Tiger Shark! Thanks again.
empty space for sale... never been used... very roomy.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
lol