Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
6
Replies

DMZ to INSIDE. Is this right?

rvv
Level 1
Level 1

‎01-12-2007 05:26 AM

Hi all!

Our clients need web server that work for inside and outside.

How to make it right? When you open port from DMZ to INSIDE this is potentialy unsafe.

How to make this safe ? :)

Labels:
0 Helpful
6 Replies 6

m-haddad
Level 5
Level 5

‎01-12-2007 03:49 PM

Well, if mean that you want inside to communicate with the DMZ webserver all you need is PAT for inside hosts to DMZ. This won't require to open a port from DMZ to inside because the connection is comming from higher level of security to lower level of security.

Let me know if this answers your question,

Appreciate your rating,

0 Helpful

rvv
Level 1
Level 1
In response to m-haddad

‎01-12-2007 11:45 PM

No , i mean that i need DMZ servers communicate to Inside.

0 Helpful

5220
Level 4
Level 4
In response to rvv

‎01-14-2007 12:22 PM

Hi,

If your server will INITIATE the connections to inside users, it is not safe, since a malitious code from the outside can use this server as a proxy to gain access to inside.

The idea of DMZ is that this will only accept connections.

What can you do is to limit the access this server has to inside LAN, or to move any required accesed services to DMZ as well.

Check Email section on the following page with useful links:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor10

Please rate if this helped.

Regards,

Daniel

0 Helpful

rvv
Level 1
Level 1
In response to 5220

‎01-14-2007 10:52 PM

Hi!

Yes, my server will initiate connections to inside. I'am already limit access this server has, but still try to finding solution for this problem. This is common scenario in this company - one server for inside and outside users.

Maybe you know how to achive this safely?

0 Helpful

5220
Level 4
Level 4
In response to rvv

‎01-14-2007 11:58 PM

Hi,

This is the safest as you can get.

Make sure you have Anti Virus, Firewall and so on on the DMZ server.

With static command on the PIX you can specify the maximum number of connections to the server, so that you prevent a DoS to it from the internet.

Outside users will be filtered to be allowed only the right ports.

You can as well activate PIX IPS for the DMZ interface.

Please rate if this helped.

Regards,

Daniel

0 Helpful

rvv
Level 1
Level 1
In response to 5220

‎01-15-2007 02:58 AM

Hi!

I already make this all.

But i want to know does anyone deploy this configuration? Maybe there is common issues how to minimize risk?

0 Helpful
Customers Also Viewed These Support Documents