Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
5
Helpful
1
Replies

PIX DMZ Design Help

boshardy1
Level 1
Level 1

‎12-27-2006 06:54 PM - edited ‎03-11-2019 02:13 AM

I am trying to design a new DMZ. I have two internal subnets 172.16.0.0/16 and 192.168.9.0/24. My DMZ is going to be 172.28.2.192/28. For now I will have 1 web server in the DMZ with ports 80 and 443 needed in. I also want to allow the server in the DMZ to talk to two internal servers as well as respond to pings. I do have an ACL restricting outbound traffic from the inside, so I will need to allow the inside to talk to the DMZ as well. Here is what I have built thus far for config (on paper). Any advice or recommendations would be appreciated.

static (inside,DMZ) 172.16.0.0 172.16.0.0

static (inside,DMZ) 192.168.9.0 192.168.9.0

static (DMZ,outside) 12.34.44.XX 172.28.2.196

access-list DMZ permit host 172.28.2.196 host 172.16.0.17 (to talk with server A on inside)

access-list DMZ permit host 172.28.2.196 host 172.16.0.16 (to talk with server B on inside)

access-list DMZ permit icmp host 172.28.2.196 172.16.0.0 255.255.0.0 (allow ICMP to inside)

access-list DMZ permit 172.16.0.0 255.255.0.0 any (allow inside to talk with DMZ?)

access-list DMZ permit tcp any 172.28.2.196 eq 80 (allow port 80 from inside and outside?)

access-list DMZ permit tcp any 172.28.2.196 eq 443 (allow port 443 from inside and outside?)

access-list outside permit tcp any 12.34.44.X eq 80 (allow outside world into nat'd address for DMZ server)

access-list outside permit tcp any 12.34.44.X eq 443 (allow outside world into nat'd address for DMZ server)

access-list inside permit any 172.28.2.0 255.255.255.XX (allow inside into DMZ)

access-groups XXXXX

Does this look it will work? What am I missing?

Thanks alot.

Labels:
0 Helpful
1 Reply 1

Fernando_Meza
Level 7
Level 7

‎12-27-2006 10:45 PM

Hi ...

according to your requirements you got it 90+ right .. I would suggest the following changes though

access-list DMZ permit ip host 172.28.2.196 host 172.16.0.17 (to talk with server A on inside)

access-list DMZ permit ip host 172.28.2.196 host 172.16.0.16 (to talk with server B on inside)

access-list DMZ permit icmp host 172.28.2.196 172.16.0.0 255.255.0.0 (allow ICMP to inside)

you don't need the other entries from the DMZ access-list

access-list inside permit ip any 172.28.2.0 255.255.255.XX (allow inside into DMZ)

NOTE: this allows all outbound access to the We servers and so you might want to lock it down to the access you required only .. i.e icmp, 80, 443

Appart from that .. you should be OK

I hope it helps .. please rate it if it does !!!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card