Good way to implement DMZ

We currently have an ASA with internal, DMZ and outside areas interfaces.

Guests at the DMZ (web server, ftp server, etc. etc.) attach in the infrastructure of switching on a VLAN again. All hosts in the DMZ have public IPs only.  There is no internal IP on them and no nat going for them.

We are concerned that this is not the right way to set up a demilitarized zone.  Should we assign these hosts the private internal IP and natting them.  How would that look on the SAA?  Would there be two separate network objects, one for IP address internal and one for outside?  We would use the network object with the external IP address for all rules in the DMZ?

Are there other best practices to follow with the creation of a DMZ on the SAA?

Any input would be greatly appreciated.

Thank you

Yes create you a new private IP subnet and apply the NAT rules to translate these IP addresses to your public IP addresses.

I don't know what exactly is your question, ask yourself how to do NAT?

With respect to the General discussion, there are different views on that.

NAT has never been designed as a security tool, and some people strongly support that do not rely on NAT to safety. For any type of address you use the argument is that you control traffic with the ACL and if you configure these ACLs correctly then it should make no difference as to what type of address that you use.

The other argues that NAT can ensure a certain level of security. Certainly for standard NAT where you hide all your IP addresses behind internal public IP address for internet access in general that it could be argued that it offers security as connections can be made from the outside, only the return traffic is allowed in.

But for the static NAT instructions you are actually allowing external connections. It is also why some people specify the ports in their static statements IE not only to preserve the IPs but also because you will be allowed to connect to that specific port.

If you do not specify the ports then theoretically any port can be connected to although of course, it is your ACL enter.

To me that your security comes mainly from your ACL and any security advantage that make you NAT (as appropriate) is a plus but should not be relied on.

So in your case if you use private IP addresses and do a direct translation between a private IP address and the public IP address is almost identical using public IP addresses directly, IE. you are totally dependent on your acl configuration that isn't a bad thing.

There may be other advantages or disadvantages, but I don't see any.

Perhaps others could comment on.

It's really about which you are doing.

If you choose to use private IPs make you have 'arp-nonconnected licence' in your configuration (it may or may not be on by default).

Jon

Tags: Cisco Security

Similar Questions

  • Good way to implement the page transition?

    Hi, I have a Flex application that uses several pages, along with a ViewStack. Page transition is managed by the attached function (which, according to the commentary, causes the massive memory leak). This function is called in about 40 locations throughout the Flex application. The function calls then removeAllChildren and createComponentsFromDescriptors so that the pages with forms pick up their empty, rather than having to manually go through each component in a page and give them to their initialized state. Preferably, I'd like to preserve the form reset the behavior of this function, but cut the memory leak. Any advice on what would be the best solution to this problem?

    Hello
    Just a follow-up. We were able to solve the problem of memory leak by applying a patch to the SDK, provided on the Adobe bug tracking forum. y http://bugs.adobe.com/jira/secure/IssueNavigator.jspa?reset=true&&query=memory+leak&summar = true & description = true & body = true & pid = 10080 & pid = 10012

  • Best way to implement FREE purchase?

    Hello

    I have purchases which are free for all users. What is the best way to implement a solution of payment no? Would have seen the payment fields hidden and selected automatically cod if the amount field is 0.00 a good idea? Is there a better way that anyone has put up what? And what about security vulnerabilities?

    Hello

    Here is an article on the orders of "without fee".

    COD payment method won't work for zero arrested value, you should not use the described free payment method

    article http://kb.worldsecuresystems.com/893/bc_893.html

    I hope this helps!

  • We can add money on an iphone to get the new, a good way would it cost?

    We can add money on an iphone to get the new, a good way would it cost?

    You must speak to your support for example provider (at & t, Verizon, etc.) about adding money to pay your device if not already eligible for an upgrade. Hope this helps, good luck to you.

  • I have a MacBook Pro.  Is there a way to implement a rarely used keyboard key that - WHENEVER - it is pressed the computer will insert the string, predetermined character at the cursor position?

    I have a MacBook Pro.  Is there a way to implement a rarely used keyboard key that - WHENEVER - it is pressed the computer will insert the string, predetermined character at the cursor position?

    Yes. You can add in system preferences > keyboard > text.

  • Easiest way to implement a network wide lock/semaphore

    I was trying to think of a way to implement a network wide lock a semaphore. The application is that there are two computers on a network running TestStand. There is a common resource that one can use both. What is the best way to keep "up-to-date on the other.

    I thought maybe a small TCP/IP custom routine negotiating this resource or a variable shared in LabVIEW. I also thought to use the remote execution of sequence in TestStand. Someone has he done something like this before?

    Example/code sequences are always appreciated.

    You can use a lock TestStand (or any other synchronization operation) on the network by prefixing the name of lock with \\MachineName\.

    Using MachineName even for two machines and they work as well on the same lock, who will live at MachineName.

    Also, see setting up to TestStand to access synchronization distance objects in Appendix B of the reference manual.

  • What is a good way to use the queues for the model of consumers/producers?

    Hi all

    I am following the model of consumers/producers to use the queue to synchronize the following process: the producer is a loop to produce a number N, I will put each number generated in a table and after each 5 numbers generated, I put the table in the queue and pass it on to the consumer. I have to wait the use by consumers of the data and it will then remove the item from queue so that producers will have the chance to produce another 5 numbers. As I put the maximum size of the queue one, I expect that the producer and the consumer turns to produce / consume all five numbers and the opportunity to another. Here is my code

    When the checkbox is false, the code will be

    For the first 5 numbers, product will generate every thing right and put it in the table, and it's going to pass the array to the quere so that the consumer will have the chance to loop through the table. I except the procude loop will continue only when the queue is available (i.e. all items are deleted), but it seems that once the consumer starts the loop loop of the product will continue (if the indicator x + 1 and x 2 will be changed to numbers). But this isn't what I want, I know there must be something wrong, but I can't say it is.

    dragondriver wrote:

    As you say in 1, sequency structure to enforce the order of execution, that's why I put it here, in this example, the simple question, I replace the complete code with increase in the number, in the real case, the first markers + 1 and + 2 must be performed in this order.

    Mikeporter says:
    1. get rid of all the structures of the sequence. None of them are nothing but apply a work order which would have been the same without them.

    So even if you delete the sequence structure, there will be a fixed & defined order and it is because LabVIEW follows the MODEL of FLOW OF DATA.

    Data flow model (more precisely in the context of LabVIEW): a block diagram node runs when it receives the required inputs. When a node is running, it produces output data and transmits data to the next node in the path of the data stream. The flow of data on the nodes determines the order of execution of the VIs and functions on the block diagram (click here for reference).

    Now in your code, just remove the sequence structure will not make you order will be going to stay the same, but you need to do some very minor changes (as thread of the error in loop, before that he go to the node "Élément Dequeue").

    Come to the main point: it's a good way to use the queue for the consumer/pmodel that?
    The model you are using (and qualifying as consumer/pmodel) is much too deviated from the original consumer/pmodel which model.

    dragondriver wrote:

    For the second, Yes, it's my fault for delete, though. I'm actually the example of model of producer/consumer design pattern, but I do not pay attention to the while loop in the part of the consumer.

    While loops (two producers & consumers) are the essential part of this architecture and cannot be deleted. You can start your code using standard model.

  • Is there a good way to archive historical data?

    Our planning cubes become too big with 5 years of forecasting and budgeting data.

    Is there a good way to archive historical data?

    How you guys do it?

    I know a simple way is easy make a copy planning essbase cubes.  However, is there text, attachments and support details, these will be lost unless there is a way to archive a RDBMS repository data for planning.  Even in this case - all links and hooks of the Essbase cubes in these RDBMS repository will be broken.

    The old fashion method is to print all reports in PDF and archiving.

    Given that the plan changes every month, reprocess you history until you check in?

    Thanks for your advice.

    This can be done in 2 ways...

    1. just make a copy of the old 'DATA' in text file or another essbase cube history. Clear only the historical data for the current application. This will keep other information as text in the intact cell. In case the user wants to refer to the old texts/support cell details they can do by going directly into the application and for part of data, they can look in old PDF report.

    2. a copy of the planning application to create a copy of the current request. Keep all old data, text etc in old app of cells. All previous reports also point this app. Then erase current app and can be simply provide read access to older data App users can be trained to use older applications for all historical data and current app for existing budgets. Also this app can be used during the period of archiving all data.

  • vSphere 5.5 using the uplink of LBT group that does not have a good way

    We use LBT since our recent deployment, which is new for us.  Everything seemed fine and dandy, until recently the VMs began dropping their connectivity to what looked like at random times.  The first fix out the door had to disconnect and reconnect the vNIC for each virtual computer.  Sometimes, it took a few tries before it worked.  We discovered that LBT moved VMS to the other group of uplink, which was a physical affair.  Unfortunately, someone didn't configure the port correctly on the remote switch, so while link came, he could not access the VLAN correct.  My question is, why the LBT would move virtual machines to an uplink group which did not have a good way?  He seeks only a physical link?  Looks like this problem waiting to happen.  Or, more likely, we have something misconfigured.  Any help would be wonderful, I don't like the idea to return to etherchannel or LACP with IP hash with blades chassis.  Thank you!

    My question is, why the LBT would move virtual machines to an uplink group which did not have a good way?

    Is that a "good path" can mean many different things in different circumstances of different points of view, if it's out of reach for LBT. It will be only on the physics of the status of the link. There is beacon probing too which can detect switch upstream outages but it can be used only with at least 3 vmnic uplinks and it has a few disadvantages, see:

    http://virtechgeek.com/2013/05/06/beacon-probing-vSphere-network-policy/

    http://thomaslowblog.blogspot.de/2011/10/vswitch-network-failover-detection.html

    You can use the dvSwitch health check feature to make sure that all the natachasery of all the hosts connected to a dvSwitch can access the same VLAN. It will not prevent LBT to move virtual machines, but it will at least raise an alarm if a bear cannot access a VIRTUAL LAN. Take a look at this article:

    http://wahlnetwork.com/2012/08/27/new-5-1-distributed-switch-features-part-1-network-health-check/

  • Is there a good way to do it?

    Is there a good way to write messages of errors in PL/SQL? For example:

    IF < variable > IS NULL THEN

    dbms_output.put_line ("' error message");

    END IF;

    OR

    IF < variable > IS NULL THEN

    RAISE < exception >;

    END IF;

    What is the most correct? Or maybe the two are quite right?

    Thank you.

    Hello

    Dbms_output is a good way of packing to write messages for debugging PL/SQL code.  It is not very good for anything else.  It is particularly inappropriate for the error messages, since the output can easily be missed, if it is never displayed at all.

    The second way you posted (STIMULUS) is good.  Create user-defined exceptions and RAISE them explicitly.

  • Is there a good way to automate changing existing links to external PDF to be attachments in PDF with the same names?

    Greetings!

    Can someone tell me a good way to automate changing hyperlinks existing PDF 'main' to an external PDF rather do links to attachments PDF for the main PDF (the PDF attached to have the same filenames as the external PDF files)?

    The current link to main PDF format:
    Navigate to a page in another document
    File: C:\\path\filename.pdf
    Name of the destination: P:1

    When the link is manually changed to link to a PDF file that was attached to the main PDF:

    Navigate to a page in another document
    : PDF attachment
    Page: 1
    Zoom level: page Fit

    The new PDF link does not list the name of the attachment PDF file in the link.

    The file main PDF (the one that has the connection I would change automatically) is generated with hyperlinks to other documents PDF from Adobe FrameMaker 11.  In FrameMaker11, we have added text marker special "openpage filename.pdf:1' which is 'automatically' has been changed to hyperlinks to PDF files external when the main PDF file is created (postscript file is processed) Adobe Acrobat Pro 11.

    My first choice is to be able to change the format of the text in the file source Adobe FrameMaker special marker, but I found no way to specify a link for a PDF attachment with a certain file name.

    However, I also very much the ability to run a command on a main PDF file to change the links there.

    Has anyone tried using only Adobe ExtendScript ToolKit CS6? In other words, a script that could automatically change the hyperlinks in a PDF document to a link to attachments in PDF instead of external PDF files, or to modify the links not transformed, while they are still in Postscript file format format, or change the text in FrameMaker marker instead of creating a link to a PDF file in the same directory as the main processing PDF to create a link to a PDF attachment files?

    Thank you
    Judith Wallace
    [email protected]

    FrameMaker hyperlink feature has no ability to "connect" with an attachment on/in a PDF target.

    PDFs from FM may have named destinations listed FM files created as a link of file01.fm to the named destination specified in file01.fm will be functional in the PDF files created from the files of FM.

    Then, of course, it is the possible dynamics by use o FM books. But it is the grist mills in the FM 2 user forum.

    RE: Script - PDF scripting is via Acrobat JavaScript. It is something yet and by Adobe, even though it may migrate to a Standard ISO (or be wound in a future standard ISO 32000).

    Then, to the point - look at Acrobat JavaScript for the script.

    Be well...

  • I cannot add a video to Muse. Does anyone know a good way to get where I want to go?

    I have integrated a YouTube video on a site before Muse. I used the embed code and the URL successfully in the past. Now, the widget displays a notice, "unable to generate the thumbnails.

    In addition, YouTube launched a policy where they run ads unless I monetize firstly for the privilege to disable ads. I love YouTube because they offer a choice of sizes for the player, but have no interest in signing up for Google Adsense. I don't see any option of size on Vimeo. In addition, a Vimeo version load into the widget with the URL or embed code to be.

    All I want is a simple player for a video slideshow portfolio HD. I need the player to fill more of the page than the player of 560 x 315. Does anyone know a good way to get where I want to go?

    Hello

    If you ready to welcome video on the host server you can do this by importing mp4 files in the current folder and then you can use the HTML code to play this video in HTML5 player and you can set the size in code.

    Please take a look at the steps of the example.

    1. go to file > add files to download > (select the file you want and it will be moved in the current folder)

    2. go to object > insert HTML and the following code Type code

    ' assets / "Filename".mp4" type =" video/mp4">".

    "Filename" should be replaced with the exact name of the video file that you imported in step 1

    3. you can change the width and height according to your requirement.

    This will create the image of the video in HTML5 player, and you can place it in the Page as a pet your condition.

    Concerning

    Vivek

  • What is a good way to check if the selection ADB sql cursor returns nothing

    Hi all

    I am trying to find a good way to identify that a select SQL basic cursor return nothing.
    I know that or we use exception when no data found or count (*) to check how many rows are returned.


    I have a cursor based on a long statement select.
    As
    CREATE OR REPLACE PROCEDURE aaa (v_input IN NUMBER, v_output OUT VARCHAR2)
     CURSOR long_cursor IS
          --long select statement(with input variable) ;

BEGIN
     Select count(*) 
     Into v_count
  From
  -- a long select statment with input again ;
  IF v_count > 0 then
    For record in long_cursor loop
     --Get information from cursor
        --other processing for output
    End loop;
  END IF;

END;
    Is there a way other than the above?
    I would like to reduce the amount of typing. I know that repetition in code is not good.

    Thanks in advance,
    Ann

    Published by: Ann586341 on February 28, 2013 14:29

    Hello Ann,.

    Apart from the possibility has already been mentioned that other users can change the data during execution of your process, you can check if something needs to be done without the COUNTY. Set a flag in the cursor for loop. When there is no data, then the flag will not change one you can perform the necessary procedure.

    CREATE OR REPLACE PROCEDURE aaa (v_input IN NUMBER, v_output OUT VARCHAR2)

    v_data_found    BOOLEAN := FALSE;
    CURSOR long_cursor IS
        --long select statement(with input variable) ;

BEGIN
    For record in long_cursor loop
        v_data_found := TRUE;
        --Get information from cursor
        --other processing for output
    End loop;
    IF NOT v_data_found THEN
        -- set processed flag
    END IF;
END;

    Concerning
    Marcus

  • Good way to start with learning the concepts of 11g

    Hello

    I have a work experience on the BEA weblogic server 8.1 sp4 on which I have worked for about 2 years now. My current mission requires work to Installation / development and deployment on the server of Fusion middleware 11g. Could some body if you please suggest me a good way to start with learning the concepts of 11g.

    I understand that all the documentation is available in the Oracle forum, but I want to know where to go.

    My essential tasks in the assignment would be
    1. installation (OSB on top of WLS).
    2 development/configuration on OSB.
    3 deployment and administrative tasks.

    Kind regards
    Angelique

    Some former OSB tutorials are mentioned here: Oracle OSB - tutorial for using Eclipse plugin development

    The development of OSB guide (which shows how to use Eclipse) can be found here: http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/toc.htm

    For now (to my knowledge), Eclipse is used for the development of OSB. Note that JDeveloper is used for development with the Oracle SOA Suite (for example Oracle BPEL).

  • Compile / good way to save?

    I wonder, is it a good way to save when you work with adobe illustrator? It is because I have noticed that although illustrator is vector, when I work with her, and tried to select all my layers and resize them (all in one, all layers are selected) small, they are screwed up as if it is be pixelated...

    To resolve this problem, I tried the experiment and the flatten transparency, I found.  He has worked on my habits of illustrator. Even I adapt my work to the smallest size (size of the regular icons), it is always recognizable and I feel the power of the vector.

    But then, with my last practice, it seems that flatten transparency can no longer help me. When I tried my last project to the smallest size (size of the regular icons)nationally, it began to look as if it were to be rasterized. Quality has dropped down, and my work is no longer recognizable.

    This made me think that's really a good way to save? Some kind of a thing of compilation? Where when I adapt my work to a smaller size, it's always look ok? Thank you! See you soon!

    Kind regards

    Bartoli

    Barka,

    You should have Edit > preferences > Strokes & effects of scale makes TIC TACS, and (if you have CS5) transform > snap to grid of pixels unchecked.

Maybe you are looking for