topic I think you are pretty much in Network Security

ASA DMZ best practices

Phil Bradley — Tue, 12 Mar 2019 05:26:40 GMT

I am looking for best practices for my DMZ zone on my ASA 5510 to my inside network. I have this currently setup, but would like to know if what I'm doing is best practice. I currently have a proxy server in the DMZ and I am using Nat from my one inside host that needs to access the proxy and not Nat exemption. My thoughts are this hides the internal network address, but is this really necessary? I also allow inside to DMZ, but obviously not DMZ to inside. Should I also only allow the one host and ports from the the inside to DMZ direction? Thanks.

I think you are pretty much

Dennis Mink — Wed, 04 Feb 2015 02:53:42 GMT

I think you are pretty much there.

in terms of allowing access from your DMZ to INSIDE, limit it. legitimate traffic could be syslog, snmp to your management server.

in terms of proxy. you don't necessarily have to stick ity in your DMZ as the outside would not attempt to connect to it.

here is a good read about the concept:http://etherealmind.com/design-enterprise-dmz-firewall-clusters/