Cisco Cisco IPS 4510 Sensor 백서
20
Firewall
August 2012 Series
20
Procedure 4
Configure the DMZ security policy
Each security policy is unique to the policy and management
requirements of an organization. Examples in this document are
intended to illustrate policy configuration concepts.
requirements of an organization. Examples in this document are
intended to illustrate policy configuration concepts.
Tech Tip
The management DMZ provides connectivity to the internal network for
devices in the DMZ and outside the firewall. This connectivity is limited to
the protocols required to maintain and operate the devices.
devices in the DMZ and outside the firewall. This connectivity is limited to
the protocols required to maintain and operate the devices.
Step 1:
Navigate to
Configuration > Firewall > Access Rules
.
First, you will enable devices in the management DMZ to communicate with
the internal network for management and user authentication.
the internal network for management and user authentication.
Step 2:
Click
Add
,
and then choose
Add Access Rule
.
Step 3:
In the Add Access Rule dialog box, in the
Interface
list, select
—Any—
.
Step 4:
For
Action
, select
Permit
.
Step 5:
In the
Source
list, select the network object automatically created
for the management DMZ. (Example: dmz-management-network/24)
Step 6:
In the
Destination
list, select the network object that summarizes
the internal networks. (Example: internal-network)
Step 7:
In the
Service
list, enter
tcp/ftp, tcp/ftp-data, tcp/tacacs, udp/ntp,
udp/syslog
, and then click
OK
.
Next, you will ease the configuration of the security policy by creating a
network object that summarizes all the DMZ networks. All the DMZ networks
deployed in SBA for Enterprise Organizations can be summarized as
192.168.16.0/21.
network object that summarizes all the DMZ networks. All the DMZ networks
deployed in SBA for Enterprise Organizations can be summarized as
192.168.16.0/21.
Step 8:
Navigate to
Configuration > Firewall > Objects > Network
Objects/Groups
.
Step 9:
Click
Add > Network Object
.
Step 10:
In the Add Network Object dialog box, in the
Name box
, enter a
description for the network summary. (Example: dmz-networks)
Step 11:
In the
Type
list, select
Network
.
Step 12:
In the
IP Address
box, enter the address that summarizes all DMZ
networks. (Example: 192.168.16.0)