DMZ to Inside

gparrish · ‎07-29-2003

I just worked on figuring out how to manage traffic from the Inside to the DMZ. I applied the NAT 0 to this traffic since we did not need any NAT. From here I added an access list to permit any traffic coming from the DMZ. We only have a single server there.

My question is should I lock this access list down to just necessary traffic like ICMP, FTP and HTTP or leave it wide open? I assume my only worry is if this box is compromised then it could have free rein to the inside network.

Greg

gfullage · ‎07-29-2003

Lock it down as much as possible. The whole point of having a DMZ is that if the servers on it are compromised, your inside network is stil safe. If all access to this server is initiated from the inside, then you don't need any access-list, cause the PIX will automatically allow the return traffic back (this doesn't include ICMP actually, so you do need to allow that in if you want to be able to ping this server from the inside). Your ACL only needs to allow the traffic types that this server initiates to the inside network, if there isn't anything like that then don't specify an access-list at all.