Cisco Cisco IPS 4520 Sensor Libro bianco

Firewall

August 2012 Series

Procedure 4

Configure the DMZ security policy

Each security policy is unique to the policy and management
requirements of an organization. Examples in this document are
intended to illustrate policy configuration concepts.

Tech Tip

The management DMZ provides connectivity to the internal network for
devices in the DMZ and outside the firewall. This connectivity is limited to
the protocols required to maintain and operate the devices.

Step 1:

Navigate to

Configuration > Firewall > Access Rules

First, you will enable devices in the management DMZ to communicate with
the internal network for management and user authentication.

Step 2:

Click

Add

and then choose

Add Access Rule

Step 3:

In the Add Access Rule dialog box, in the

Interface

list, select

—Any—

Step 4:

For

Action

, select

Permit

Step 5:

In the

Source

list, select the network object automatically created

for the management DMZ. (Example: dmz-management-network/24)

Step 6:

In the

Destination

list, select the network object that summarizes

the internal networks. (Example: internal-network)

Step 7:

In the

Service

list, enter

tcp/ftp, tcp/ftp-data, tcp/tacacs, udp/ntp,

udp/syslog

, and then click

Next, you will ease the configuration of the security policy by creating a
network object that summarizes all the DMZ networks. All the DMZ networks
deployed in SBA for Enterprise Organizations can be summarized as
192.168.16.0/21.

Step 8:

Navigate to

Configuration > Firewall > Objects > Network

Objects/Groups

Step 9:

Click

Add > Network Object

Step 10:

In the Add Network Object dialog box, in the

Name box

, enter a

description for the network summary. (Example: dmz-networks)

Step 11:

In the

Type

list, select

Network

Step 12:

In the

IP Address

box, enter the address that summarizes all DMZ

networks. (Example: 192.168.16.0)