Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1601
Views
13
Helpful
15
Replies

Communication between the DMZ and secure network

Go to solution
FRANCISCO IBARRA
Level 1
Level 1

‎12-29-2011 05:03 PM - edited ‎03-11-2019 03:08 PM

I have a setup where I have a secure internal network (192.168.1.0/24), a DMZ (192.168.5.0/24) and a public Internet connection. I have the internal network connection to the DMZ and the Internet safe, also I have my internet connection from dmz. But I have no connection to the mysql service from the DMZ to my internal network secure.

This is a piece of code that I think affects this behavior, I am doing wrong?

access-list DMZ_IN extended permit ip any any

access-list DMZ_IN extended permit tcp host 192.168.1.2 host 192.168.5.1 object-group MySql.

access-group DMZ_IN in interface DMZ

nat-control

global (outside) 101 interface

global (DMZ) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 192.168.1.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

static (DMZ,outside) x.x.x.x 192.168.5.1 netmask 255.255.255.255

static (inside,DMZ) 192.168.5.252 192.168.1.2 netmask 255.255.255.255

Labels:
0 Helpful
15 Replies 15

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to FRANCISCO IBARRA

‎12-30-2011 06:13 PM

Hola Francisco,

En este momento tu tienes configurada una ACL que dice permit ip any any en el DMZ por ende tdo el trafico proveniente del DMZ hacia cualquier interfaz con un menor nivel de seguridad sera permitido, ahora con respecto al inside, siempre y cuando exista un static inside,dmz hay un leve riesgo ya que un intruso podria ganar acceso al servidor del dmz y de ahi pasar al SQL server en el inside, ya por estar ahi podria accessar cualquier host en la red segura.

Mi consejo seria permitir acesso solo del servidor en el dmz al servidor al inside. solo eso en la ACL.. Para ello tu access-list deberia tener solo la siguiente linea.

access-list DMZ_IN permit ip host DMZ_SERVER_IP host SQL_INSIDE

Con eso mantendrias un mayor rango de seguridad, aun pondrias mas seguridad si restringes el accesso del outside al DMZ server, pero eso depende de la politica de seguridad de tu red.

Espero esto despeje tus dudas.

Por favor califica las respuestas que proveen ayuda.

Saludos,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card