would an access list to open all traffic from the dmz network to outside look like this access-list dmz_access_outside extended permit ip object-group company_dmz any where company_dmz is an object group with the address range of the company dmz. thanks
are the hosts on the dmz on the same subnet as the protected hosts on the lan? you definately want to use a different subnet off a different router interface, if a machine on your dmz becomes comprised (which is why its on a dmz to begin with) then the attacker can access the machines on your LAN from the machine on the dmz (within the same broadcast domain).
Have a look at
Flamer.
This is on an asa5510 firewall. So yes it is a different subnet on a seperate interface. So - if i give it the access list above then i'm thinking that i will still be protected from traffic originating from the outside. But that all traffic originating from the inside will still be able to go through. Does this hold true for the asa. Thanks
each interface has a security level, internet =3D 0, lan =3D 100, and dmz =3D 50 (or somewhere in between). A device on an interface can talk to anything on an interface with a lower security level (so lan can talk to anything) but a lower level cannot initiate a connection to a higher level interface unless permited to do so (by an access list) - so a host out on the internet can't talk to the lan or dmz.
Note: That is true for the Cisco PIX, I havent done too much with ASA's and I am guessing the same is true.
But yes your access-list will allow dmz access and will not affect your LAN access if they are not in the same range.
Flamer.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.