XI in DMZ Zone

Hi,
Can we put the XI server in DMZ Zone? Thank you.
Rgds,
Hapizorr

Hi Hapizorr,
Proxies and application gateways are placed in the outer DMZ, providing acess control between Internet and internal networks. In an inner DMZ, an Integration Server is placed. It exchanges documents with external partners and the business system in the server LAN.
Refer to the recommendations given in the SAP WAS Security Guide in the Web Infrastructure Concepts for SAP WAS for the protection of the Integration Server and the business systems.
I hope this helps.
Regards.
Praveen

Similar Messages

Load Balance guest Internet access via two different DMZ zones at two sites

Hi Sir,
My customer has the following unified wireless guest access requirement:
- There are 2 internet links and dmz zones at two different locations, Site A and Site B
- Data centre is at Site A
- WiSM is proposed to be installed at the Cat 6500 in Site A
- Lightweight AP are distributed across Site A, Site B and other branches
- Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
Thanks for your help
Delon

You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

OSB doesn't work with DMZ zone

Hello all,
I have a configured DMZ zone at our network infra. But after our web service doesn't work.
We have a two ip address, which are public (x.x.x.x) and osb (y.y.y.y).
This is my hosts config:
127.0.0.1 localhost.localdomain localhost
y.y.y.y     osb-domain    osb-domain.mnOur web service endpoint url is:
<WL5G3N0:service name="demoSOAPQSService">
<WL5G3N0:port binding="WL5G3N1:demoSOAP" name="demoSOAPQSPort">
<WL5G3N2:address location="http://osb-domain:7001/OSB_Project/demo/ProxyService/demo"/>
</WL5G3N0:port>
</WL5G3N0:service>I'm getting following error:
Exception in thread "main" com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection refused: connect
     at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:138)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
     at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
     at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
     at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
     at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
     at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
     at com.sun.xml.ws.client.Stub.process(Stub.java:272)
     at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
     at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
     at $Proxy29.hello(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
     at $Proxy30.hello(Unknown Source)
     at a.RegisterUsersWSPortClient.main(RegisterUsersWSPortClient.java:13)
Caused by: java.net.ConnectException: Connection refused: connect
     at java.net.PlainSocketImpl.socketConnect(Native Method)
     at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
     at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
     at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
     at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
     at java.net.Socket.connect(Socket.java:529)
     at java.net.Socket.connect(Socket.java:478)
     at sun.net.NetworkClient.doConnect(NetworkClient.java:163)
     at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
     at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
     at sun.net.www.http.HttpClient.<init>(HttpClient.java:233)
     at sun.net.www.http.HttpClient.New(HttpClient.java:306)
     at sun.net.www.http.HttpClient.New(HttpClient.java:323)
     at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
     at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
     at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
     at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:126)
     ... 20 moreIt works with web service test of OSB Console. But it's not working from client application (x.x.x.x ip).
It was working before DMZ configuration.
Are there any other configurations required?
BR,
Eba

Hi Eba,
It's not clear from where you are trying to access OSB. I believe from outside the DMZ.
First step, make sure that Weblogic is listening to your y.y.y.y address, and not only 127.0.0.1
1) Run netstat -na | grep 7001
You should see which IP addresses weblogic bound on port 7001
Hopefully you will se y.y.y.y
Try to connect using telnet from the OSB server itself: telnet y.y.y.y 7001
If that doesn't work, make sure that in the weblogic server config, the listen address is either empty, or it has y.y.y.y (better to leave it empty).
2) If you can connect from the local server to port 7001 using y.y.y.y address, then try to connect from your remote server
If it fails, probably is config issue in the router/firewall
Regards,
Fabio

ZBFW - dmz-zone to in-zone access

Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.

Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
   import all
   network 168.192.200.0 255.255.255.0
   domain-name in.froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
   import all
   network 200.200.200.0 255.255.255.128
   domain-name froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
4F5E79FE 8C76B0EC BC5DD668 69BE1A
            quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
match service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
match service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
pass log
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
inspect
class type inspect WEB-PROTOCOLS
inspect
class type inspect FTP-PROTOCOL
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class type inspect DEST-DNS
inspect
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ICMP-PROTOCOLS
inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
pass log
class type inspect WEB-PROTOCOLS
inspect
class type inspect OPENDIR-OUT
inspect
class type inspect DEST-DNS
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
inspect
class type inspect TRANSPORT-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
inspect
class class-default
drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect SELF-ICMP
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
pass
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
inspect
class type inspect SMTPS-TRAFFIC
inspect
class type inspect SMTPS-TRAFFIC-IN
pass log
class class-default
drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny   ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny   ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John.

Needing to create a DMZ zone/vlan on a small ASA.

Hopefully an easy question as this is not my forte.
I have an a small ASA-5505 running 8.2(2).
I have 2 vlans
inside 192.168.58.0/24 – security level 25
outside 25.65.25.134/30 – security level 0
I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me.
How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.

Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
Jon

Accessing a oracle DB from web AS in a DMZ zone

Hi all,
I using a webdynpro application where the backend is a oracle system.This system is different from the server.
say the Web AS server is SYS1
and the server which has oracle as SYS2.
I have created a DB in oracle DB of SYS2 and created a SID,user etc.
When i connect to this DB from inside a network there is no problem in connecting.But i have a requirement where the webAS server (SYS1 ) is placed outside the local network we are in i.e its placed in a DMZ zone. Now when i run the applcation the data from the oracle DB is not accessible..Are there any settings in visual admn which i shud enable.(I have opened the ports 1521 and 1527 also !)
And one more point ..I am not using a datasource. I am using EJB where i am directly using the driver manager class with system ip to connect to the oracle system.
how do i solve the problem
Regards
Bharathwaj
Message was edited by: Bharathwaj R

Hi,
Are you able to ping from SYS1 to SYS2.
If yes then you will be able to access the SYS2 otherwise seek help from network Administrator to do the settings at his end so that you can ping from SYS1 to SYS2. or make that machine internet enbale so that you can access it directly over the internet.
Alok Sahu

Moving SharePoint Form to another DMZ zone

Hi,
We have SharePoint application deployed on DMZ zone.So entire farm (WFE, APP & DB server) is under DMZ zone. however for some reason client is looking to move entire farm to another DMZ zone. I would like to know what are the aspects we need to
consider for this activity.
Best Regards,
Safder

A few things come to mind:
Active Directory location & firewall access
Network Routing
Reverse Proxies (if applicable)
Network Load Balancers
Server name / DNS / IP changes
URL changes (if needed)
Dimitri Ayrapetov (MCSE: SharePoint)

WLC sitting in a DMZ zone on an ASA

I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.
I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.
Thanks

Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).
If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.
I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.

Setting multiple R12 iModules on same external tier which is in DMZ Zone

Experts,
Could some one guide me on how to setup more than one iModules on same external tier which is in DMZ Zone.
We have already setup iStore and its working fine.
Now we would like to extend it to other modules like : iPayables, iReceivables and iRecruitment.
Our current setup is :
Whenever external users try to access iStore : https://iStore.domain.com, It reaches F5 Load Balancer using SSL Port 443.
LB has the redirection rule setup to http://hostname.internal.domain.com:8000, with the help of 8000 port the requests reaches External Web Tier in DMZ Zone and gets served.
If we need to deploy/enable another iModules, how the setup needs to be served.
We referred the Metalink Note: 380490.1 for iStore setup.
Please advise as I am new to these external web tier setup.
Regards,
RR.

>
Yes, We have un-commented and written the rule as below for iStore as per the Metalink note.
RewriteRule ^/$ https://iStore.domain.com/OA_HTML/ibeCZzpHome.jsp [R,L]
However I am worried more about the defining routing rules in the reverse proxy:
as of now F5 mapping has -- https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8000
Would it fine if we write the mapping as https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8002
Apologies if my understanding is wrong, as updated I am new to this external tier setups.
Regards,
RR.
>
Hi,
From your reverse proxy server setting it looks like you are planning on using module name in the url (i.e. https://iStore.domain.com:443) - in my case
what I did was I used a more generic url (e.g. https://sswa.domain.com - sswa meaning self service web apps) that way my url was not dependent upon a particular
module from the reverse proxy server. Since you mentioned change of port from 8000 (port pool zero) to 8002 (port pool two) - were you using
port 8000 and now planning on changing
your port on the system where you were already running iStore or is this for a non production/test system?
Hope this helps :-)
Regards,

Urgent: What ports should be required in DMZ zone?

Hi,
I am thinking the ports question might need to posted here. Please have a look on my posting in the following link:
Urgent: What ports should be required in DMZ zone?
Thanks and Regards,

Thanks, Ravi.
The environment I am working now won't allow me to guess and test. We are on the project and to submit a change request would take very long. So I need submit all neccessary ports correctly at one time.
Could anybody give me any suggestion? I read the TCP/IP ports for SAP documentation. But I don't think it can answer my questions above.

WAS or Dialog instance in DMZ zone

Hello All,
Please clarify me by answering the following question.
I have a plan to use the erecuting functionality without Portal system and have plans to use this functionality outside the intranet. ( Note : Not planned to move the back end system to DMZ zone)
So kindly suggest me with your valuable points.
The options which we have are.
1. Installing WAS 7.00 engine in DMZ zone and Using this ICM in Erecruting system (back end) by changing the ICM host parameter
2. Installing Dialog Instance and requesting all the erecruting request will send to dialog instance which will be placed in DMZ zone.
Will the above 2 option will work out for my case? Looking for your suggestions
Vijay

hi,
to install an application server in DMZ, confirm that you will get the port 445 open.
The TCP port 445 is required to access the sapmnt directory, which contains u201CSAP profilesu201D.
or,
alternative you place an application server lan which will communicate to CI and reverse proxy server (in DMZ)
request flow:
Internet>reverse proxy->application server--->Database server.
-gokul

Exchange servers in DMZ zone

is it's right practice whether all exchange 2010 role servers in Dmz zone??
or need to place only cas server in DMZ ZOne??

Hello,
It is required to place at least one writable Domain Controller with Global Catalog in every Ad site where Exchange servers are going to be deployed.
Hope it helps,
Adam
www.codetwo.com
If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
find the answer faster.

DMZ zone with PIX 501

- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
oleg

When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

DMZ Zone

Hi ,
i am using Cisco Asa 5510 firewall in my Network with Inside and outside interfaces.
There is a Requirement for DMZ Zone for servers having Public ip addressess.All the users will access the servers seat in the Inside interface and from internet as well.
please advice the command.Enclosed the ASA Config.
Regards,
Saroj

I'd use the ASDM, create a new IF with security level 50, after that create the objects and firewall rules (incl. NAT), thats all.

Dmz zone for pix525 not working

Dear Guys
as i am having pix 525 with inside,outside,dmz,from inside i cant access or i cant ping to the dmz zone plz help me.
interface Ethernet0
nameif outside
security-level 0
ip address 212.x.x.131 255.255.255.240 standby 212.x.x.132
interface Ethernet1
nameif dmz
security-level 70
ip address 10.80.64.254 255.255.252.0 standby 10.80.64.253
interface GigabitEthernet0
nameif inside
security-level x
ip address 10.80.56.254 255.255.252.0 standby 10.80.56.253

You need to setup a translation between the interfaces. Does this help?
static (inside,dmz) 10.80.56.0 10.80.56.0 netmask 255.255.252.0

XI in DMZ Zone

Similar Messages

Maybe you are looking for