Installing and Configuring a DMZ

vactech03 · ‎08-04-2004

I’m new to the world of Cisco and I’m trying to find some help on installing and configuring a DMZ. I have a Cisco 1720 router, PIX506E Firewall which is connected to our internal LAN. I have a Single –Port Ethernet WIC, WIC-1ENET, card for the router. I thought that I would install the card into the router and then configure the router for the DMZ; however, the articles that I see are talking about connecting the DMZ to the firewall. What is the best way to setup and configure a DMZ? Do I need to connect the DMZ to the router or to the firewall? Does the DMZ need to have a public/routable ip address or does it need a private/non-routable ip address? Then are there some examples or documentation that you could point me to with the commands needed on how to configure the router/firewall for a DMZ? Thanks in advanced for your help.

astroman · ‎08-04-2004

If I'm understanding this correctly, you'll need to set up the DMZ on the router, because of the PIX 506E only having 2 Ethernet interfaces. The PIX 515E is the first model to have additional interfaces, allowing for dedicated DMZ port/access.

If you have two available ethernet ports on your 1720, you could use one of them for your DMZ, connecting a switch/hub to this port, and placing your publicly accessible servers on this switch/hub.

This link gives a diagram of what your scenario might look like in the end...

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a0080094111.shtml

The use of the IOS Firewall Feature Set on the router, when placing a DMZ on it, is a good idea. Look into that further as well.

As far as public/private ip address concerns, you can use NAT on a DMZ interface if you'd like, adding a small form of security to the DMZ network.

Hopefully this helps a bit...