Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

Adding a "DMZ" that only allows port traffic 80/443.

rayeb4430
Level 1
Level 1

‎10-07-2015 09:05 AM - edited ‎03-11-2019 11:42 PM

Currently we have a firewall setup the following way for our business. We are using Cisco 5510 and the vlans are as described.

Vlan0 - outside (Charter)

Vlan1 - backup (our backup provider if charter goes out)

Vlan2 - Inside (Inside computers, servers and DC)

Vlan3 - Inside (Inside computers, servers and DC)

Vlan4 - Inside (Inside computers, servers and DC)

Vlan5 - Inside (Inside computers, servers and DC)

Vlan6 - DMZ (We use this for a guest wifi, that stays outside of our internal network)

Vlan7 - (Wanting to use this vlan for a new setup.)

 

This is current configured and working without any issues. What I am wanting to do with "vlan7" is the follow.

We have decided to create a new server that will only be used for our Devs to "play" on.  Kind of like a Sandbox for them to use on their free time. We do not want this connected to our internal servers so that there is not any worry of messing up our company servers that we have internally.  My boss wants this server to be outside the our internal network (very similar to DMZ) but he only wants traffic to come thru ports 80/443. 

Would I just create another DMZ interface and make or add a Access or Nat rule that only allows 80/443? Or is their a different route I should go with this?

Labels:
0 Helpful
3 Replies 3

Rishabh Seth
Level 7
Level 7

‎10-07-2015 11:06 AM

Hi,

 

There are multiple ways by which you can control access to and from the new vlan7.

While writing your access rules you need to keep in mind that the ACL will be evaluated only while creation of a session, so you can make use of "IN" direction and "OUT" direction of ACL.

If you don't want traffic to be initiated from vlan7 then you can put a deny ACL in IN direction or you can assign lowest security level to this interface.

If you want to control traffic towards vlan7 then you can apply ACL on vlan7 interface in "OUT" direction.

 

Hope it helps.

 

Thanks,

R.Seth

Mark answer as correct if it helps in resolving your query!!!

0 Helpful

rayeb4430
Level 1
Level 1
In response to Rishabh Seth

‎10-07-2015 12:15 PM

Another add on to what I am trying to do.  So since this is a "Sandbox" server for Devs to use on their free time. What steps would need to be taken to allow them to remote into the server. I have the server currently connect to a DMZ vlan on the firewall. And it does have internet to where it an browse outside sites (ex:www.espn.com).  However from my computer within the internal network I can not remote into anymore.

0 Helpful

rayeb4430
Level 1
Level 1

‎10-12-2015 01:40 PM

I am very new at this so I am looking for someone to help as far what exact commands need to be used so that i can do the following. What NAT or ACL rules need to be in placed and how exactly to type in those commands? I can provide a config if needed.

1. Allow RDP access from inside to DMZ.

2. Also authorize access from DMZ (server inside DMZ) to DC which is located on the inside.

For the purpose of helping me with commands use the following IPs.

Inside - 01.01.01.01

Outside - 02.02.02.02

DMZ - 03.03.03.03

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card