topic Re: Basic DMZ question in Network Security

Basic DMZ question

jbrister — Wed, 17 May 2023 13:33:03 GMT

I have a 5515 and am trying to setup a dmz. I guess my question is pretty basic. I have the firewall setup basic outside and inside. I have an access list and an access group in interface outside. If the dmz port is also supposed to be attached to the in interface outside access group how do I split my traffic to go to the dmz or inside? Do I just use the same access list I already have going into the internal network?

ge0/0 is 184.177.71.146 255.255.255.248

ge0/1 is 192.9.200.7 255.255.240.0

ge0/2 would be 192.9.50.0 255.255.255.0

thank you in advance

Re: Basic DMZ question

Flavio Miranda — Wed, 17 May 2023 13:40:22 GMT

If you have an interface nameif dmz, you need to create ACL for this interface the same way you do for Inside and Outside.

access-group xxx <in/out> interface dmz

Re: Basic DMZ question

Rob Ingram — Wed, 17 May 2023 13:43:44 GMT

@jbrister to explictly allow traffic inbound from outside to DMZ or Inside you would permit traffic on the ACL inbound on the outside interface.

To control traffic from DMZ to outside, this would be permitted as default (without an ACL) if the security-level of the DMZ interface is higher than the outside interface. Ideally though you would restrict outbound access from DMZ to outside with an ACL on inbound on the DMZ interface. You must configure an ACL inbound on the DMZ interface to permit traffic from DMZ to the inside interface.

Re: Basic DMZ question

MHM Cisco World — Wed, 17 May 2023 17:06:43 GMT

only make the ACL traffic to DMZ above other ACL line, then put the ACL traffic to IN below DMZ.
it only which one come first.

NOTE:- I check your config I dont see any access-group, what I see is ACL of S2S VPN