Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
1
Replies

ASA DMZ best practices

Phil Bradley
Level 4
Level 4

‎02-03-2015 04:32 PM - edited ‎03-11-2019 10:26 PM

I am looking for best practices for my DMZ zone on my ASA 5510 to my inside network. I have this currently setup, but would like to know if what I'm doing is best practice. I currently have a proxy server in the DMZ and I am using Nat from my one inside host that needs to access the proxy and not Nat exemption. My thoughts are this hides the internal network address, but is this really necessary? I also allow inside to DMZ, but obviously not DMZ to inside. Should I also only allow the one host and ports from the the inside to DMZ direction? Thanks.

Labels:
0 Helpful
1 Reply 1

Dennis Mink
VIP Alumni
VIP Alumni

‎02-03-2015 06:53 PM

I think you are pretty much there.

 

in terms of allowing access from your DMZ to INSIDE, limit it. legitimate traffic could be syslog, snmp to your management server.

 

in terms of proxy. you don't necessarily have to stick ity in your DMZ as the outside would not attempt to connect to it.

 

here is a good read about the concept:http://etherealmind.com/design-enterprise-dmz-firewall-clusters/

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card