Re: dmz access out

From: "flamer die.spam@xxxxxxxxxxx" <die.spam@xxxxxxxxxxx>
Date: Tue, 29 Apr 2008 20:31:59 -0700 (PDT)

On Apr 30, 6:11 am, mmark751969 <mmark751...@xxxxxxxxx> wrote:

On Apr 28, 9:28 pm, "flamer die.s...@xxxxxxxxxxx"

<die.s...@xxxxxxxxxxx> wrote:

are the hosts on the dmz on the same subnet as the protected hosts on
the lan? you definately want to use a different subnet off a different
router interface, if a machine on your dmz becomes comprised (which is
why its on a dmz to begin with) then the attacker can access the
machines on your LAN from the machine on the dmz (within the same
broadcast domain).

Have a look athttp://www.parkansky.com/tutorials/dmz.htmfora basic
example.

Flamer.

This is on an asa5510 firewall. So yes it is a different subnet on a
seperate interface. So - if i give it the access list above then i'm
thinking that i will still be protected from traffic originating from
the outside. But that all traffic originating from the inside will
still be able to go through. Does this hold true for the asa. Thanks

each interface has a security level, internet = 0, lan = 100, and dmz
= 50 (or somewhere in between). A device on an interface can talk to
anything on an interface with a lower security level (so lan can talk
to anything) but a lower level cannot initiate a connection to a
higher level interface unless permited to do so (by an access list) -
so a host out on the internet can't talk to the lan or dmz.

Note: That is true for the Cisco PIX, I havent done too much with
ASA's and I am guessing the same is true.

But yes your access-list will allow dmz access and will not affect
your LAN access if they are not in the same range.

Flamer.
.

References:
- dmz access out
  - From: mmark751969
- Re: dmz access out
  - From: flamer die.spam@xxxxxxxxxxx
- Re: dmz access out
  - From: mmark751969

Prev by Date: Re: How to use CLI to change pre-shared-key on ASA: Forgot Password
Next by Date: A QoS dscp question
Previous by thread: Re: dmz access out
Next by thread: C876 route-map smtp traffic to one ISP, can you check my config for faults?
Index(es):
- Date
- Thread

Relevant Pages

Re: Router stops routing after about two hours
... >perfectly, routing between our LAN, DMZ and the internet... ... interface where you will encounter b0rken windoze boxes who can't find ... the host itself (in which case if you look at the /sbin/ifconfig output, ...
(alt.os.linux.redhat)
Re: Watchguard
... > My Sonicwall had it's external and DMZ hosts all using my public IP's ... External Interface ... I use rules and NAT to allow LAN users out. ... my kids on the internet when behind web blocker. ...
(comp.security.firewalls)
Re: Dlink-g520 Wireless and WEP more
... > having an IP on a different subnet? ... FreeBSD wouldn't know on what interface it should send ... (That's why ifconfig refuses to set ... If you want to be able to switch between LAN and WLAN, ...
(freebsd-questions)
Re: dmz access out
... you definately want to use a different subnet off a different ... router interface, if a machine on your dmz becomes comprised (which is ... machines on your LAN from the machine on the dmz (within the same ...
(comp.dcom.sys.cisco)
Re: PIX 520 Assistance
... kinds of traffic that require distinct IPs. ... the machines in the DMZ, unless it would still allow me to retain ... that has an interface in X.Y.Z.* ... Each PIX 6.x interface must be in a different subnet. ...
(comp.dcom.sys.cisco)