I have a Cisco ASA that will have our linux box in the dmz. We have a public IP assigned that is forwarded(not sure if thats the right term am not a Cisco guy) to the private IP so we can access it from the LAN. How do i lock this down. For example i am running an app that uses a web interface to manage it. I need to block the outside world form using that site and allow people on the LAN to use it. Should I use iptable for that if so can i get an example or should we be able to do that on the ASA.

Is the managment webapp run on the same port as the service in the DMZ? If it is I would start by seperating that.

I think you are trying to say the ASA is routing traffic from your internal LAN to that DMZ?

The box that is in the DMZ has a separate subnet from your regular LAN? Right?

Best practices is to not have a DMZ share the same physical switch that your regular network uses. Not sure your precise setup, but just throwing that out there.

Now if your ASA is routing to the DMZ, then you should also be able to setup an ACL (access control list) on the ASA as well. In which case you can just add rules that say only allow 80, and 443 traffic to the DMZ from your internal LAN subnet.

Again this is just a guess because the details on your setup are kind of lacking.

nomb

nomb that is exactly what I am trying to do. I talked it over with the guy that set up the ASA and he said he would add some ACL.

I don't think I can do anything about the switch and the DMZ like you suggested due to work politics. Thanks for the help

Not a problem glad I could help.