Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
1
Replies

Standard network design

Go to solution
_bmal
Level 1
Level 1

‎06-25-2020 10:24 AM - edited ‎06-25-2020 10:38 AM

I'm configuring a network that that follows the standard inside-outside-dmz design.

On the inside, I have my workstations, on the outside, I have my ISP and on the DMZ I have my servers. I've configured IP addressing and routing (RIP). I understand that the inside has restricted access to the DMZ and outside, the outside has restricted access to the DMZ and the DMZ has restricted access to the inside and outside. I've placed a router to act as the firewall that separates the 3 sections but I'm not sure how to go about configuring it. I know I could use an ACL but I'm not sure what to permit/deny.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-25-2020 12:35 PM

Outbound flows (inside=>DMZ, inside=>outside or DMZ=>outside) have the least restrictions, if any, but that's not always a given.

Generally, you logically start by blocking all access (BTW the default of any Cisco ACL), again perhaps only for outbound, and only allow what's really required. I.e. identify what doesn't work, then if verified it's required, allow it.

With ACLs, two features that can be useful are to allow inbound TCP traffic that's tagged as being part of an existing flow and often router ACLs offer a "reflector" feature, that allows an inbound packet that's a "mirror" of an earlier (allowed) outbound packet.

Further, router IOS often supports a FW feature set which can provide many of the features of a dedicated FW.

BTW, sometimes a useful feature, within a DMZ, is a switch that supports private VLANs (which blocks direct host to host communication).

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-25-2020 12:35 PM

Outbound flows (inside=>DMZ, inside=>outside or DMZ=>outside) have the least restrictions, if any, but that's not always a given.

Generally, you logically start by blocking all access (BTW the default of any Cisco ACL), again perhaps only for outbound, and only allow what's really required. I.e. identify what doesn't work, then if verified it's required, allow it.

With ACLs, two features that can be useful are to allow inbound TCP traffic that's tagged as being part of an existing flow and often router ACLs offer a "reflector" feature, that allows an inbound packet that's a "mirror" of an earlier (allowed) outbound packet.

Further, router IOS often supports a FW feature set which can provide many of the features of a dedicated FW.

BTW, sometimes a useful feature, within a DMZ, is a switch that supports private VLANs (which blocks direct host to host communication).
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card