ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
0
Helpful
1
Replies
Highlighted
Beginner

Standard network design

I'm configuring a network that that follows the standard inside-outside-dmz design.

On the inside, I have my workstations, on the outside, I have my ISP and on the DMZ I have my servers. I've configured IP addressing and routing (RIP). I understand that the inside has restricted access to the DMZ and outside, the outside has restricted access to the DMZ and the DMZ has restricted access to the inside and outside. I've placed a router to act as the firewall that separates the 3 sections but I'm not sure how to go about configuring it. I know I could use an ACL but I'm not sure what to permit/deny.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Expert

Re: Standard network design

Outbound flows (inside=>DMZ, inside=>outside or DMZ=>outside) have the least restrictions, if any, but that's not always a given.

Generally, you logically start by blocking all access (BTW the default of any Cisco ACL), again perhaps only for outbound, and only allow what's really required. I.e. identify what doesn't work, then if verified it's required, allow it.

With ACLs, two features that can be useful are to allow inbound TCP traffic that's tagged as being part of an existing flow and often router ACLs offer a "reflector" feature, that allows an inbound packet that's a "mirror" of an earlier (allowed) outbound packet.

Further, router IOS often supports a FW feature set which can provide many of the features of a dedicated FW.

BTW, sometimes a useful feature, within a DMZ, is a switch that supports private VLANs (which blocks direct host to host communication).

View solution in original post

1 REPLY 1
Highlighted
VIP Expert

Re: Standard network design

Outbound flows (inside=>DMZ, inside=>outside or DMZ=>outside) have the least restrictions, if any, but that's not always a given.

Generally, you logically start by blocking all access (BTW the default of any Cisco ACL), again perhaps only for outbound, and only allow what's really required. I.e. identify what doesn't work, then if verified it's required, allow it.

With ACLs, two features that can be useful are to allow inbound TCP traffic that's tagged as being part of an existing flow and often router ACLs offer a "reflector" feature, that allows an inbound packet that's a "mirror" of an earlier (allowed) outbound packet.

Further, router IOS often supports a FW feature set which can provide many of the features of a dedicated FW.

BTW, sometimes a useful feature, within a DMZ, is a switch that supports private VLANs (which blocks direct host to host communication).

View solution in original post

Content for Community-Ad