Showing results for 
Search instead for 
Did you mean: 

ASA DMZ best practices

Phil Bradley
Level 4
Level 4

I am looking for best practices for my DMZ zone on my ASA 5510 to my inside network. I have this currently setup, but would like to know if what I'm doing is best practice. I currently have a proxy server in the DMZ and I am using Nat from my one inside host that needs to access the proxy and not Nat exemption. My thoughts are this hides the internal network address, but is this really necessary? I also allow inside to DMZ, but obviously not DMZ to inside. Should I also only allow the one host and ports from the the inside to DMZ direction? Thanks.

1 Reply 1

Dennis Mink
VIP Alumni
VIP Alumni

I think you are pretty much there.


in terms of allowing access from your DMZ to INSIDE, limit it. legitimate traffic could be syslog, snmp to your management server.


in terms of proxy. you don't necessarily have to stick ity in your DMZ as the outside would not attempt to connect to it.


here is a good read about the concept:

Please remember to rate useful posts, by clicking on the stars below.

Review Cisco Networking for a $25 gift card