topic Is it standard proceedure to allow internal users to access DMZ servers? in Network Security

Is it standard proceedure to allow internal users to access DMZ servers?

cclinton383 — Mon, 11 Mar 2019 09:50:10 GMT

I have never allowed my internal users to access web based front end servers in my DMZ but it seems a lot of companies are doing this now. So the question is:

Is it standard proceedure to allow internal users to access DMZ servers?

Re: Is it standard proceedure to allow internal users to access

abinjola — Wed, 21 Mar 2007 17:37:36 GMT

well I guess you are the best person to decide that...moreoever if you really need it thana you can open port 80 by applying access-list on inside interface allowing only port 80 to dmz apart making sure the access-list doesnt block anything else...

Re: Is it standard proceedure to allow internal users to access

cclinton383 — Wed, 21 Mar 2007 17:48:52 GMT

Actually I was hoping to get the Cisco veiw on if this is a good standard practice and are there any security reasons not to allow internal users direct access to the DMZ servers.

Re: Is it standard proceedure to allow internal users to access

abinjola — Wed, 21 Mar 2007 17:54:44 GMT

well Cisco Tac recommends as much narrowed down access-rules/permissions as possible, not a complete hole in the system....so try to narrow it down to specific hosts and specific services and ports using the access-lists

access-l abc permit tcp any eq 80

access-l abc deny ip any

access-l abc permit ip any any

access-g abc in interface inside

the above should be good