Ever tried to keep a handful of devices on a network but didn’t want them chatting with the rest of your office?
Maybe you heard “screened subnet” in a meeting and thought it was just another buzz‑word.
Turns out, a screened subnet is the sweet spot between total isolation and full exposure – a little firewall‑sandwich that lets you control traffic without breaking connectivity Worth keeping that in mind..
Below is the low‑down on how to configure a screened subnet (sometimes called a DMZ or demilitarized zone) in a 5.That said, 3. 3 network layout. I’ll walk you through the concept, why you’d bother, the step‑by‑step setup, common slip‑ups, and a handful of tips that actually work in the field Still holds up..
What Is a Screened Subnet
Think of a screened subnet as a small, fenced‑in yard inside a bigger property.
Your main network (the “inside”) sits behind a firewall, the yard (the “screened subnet”) sits between that firewall and the internet, and another firewall guards the yard’s exit.
In practice, you have three logical zones:
- Internal LAN – trusted devices, printers, file servers.
- Screened Subnet (DMZ) – web servers, mail relays, VPN concentrators – anything that must be reachable from outside but shouldn’t have free reign inside.
- External Network – the internet, partner sites, anything you don’t control.
The “5.3” you see in some Cisco or Juniper docs simply refers to a typical three‑tier design: 5 VLANs, 3 firewalls, 3 routing points. Even so, 3. The screened subnet lives in the middle tier, sandwiched by two firewalls (or a single firewall with two interfaces).
Key Characteristics
- Dual‑firewall protection – inbound traffic hits the outer firewall first, then the inner one before reaching the host.
- Limited exposure – only the services you explicitly allow are reachable.
- Separate address space – the DMZ gets its own subnet (e.g., 192.168.200.0/24) so you can apply ACLs without touching the internal LAN.
Why It Matters / Why People Care
You could just stick a web server on the internal LAN and open a port on the firewall. Because of that, works, right? Not really.
- Security – If that web server gets compromised, the attacker can’t hop straight to your file server because the inner firewall blocks it.
- Compliance – PCI‑DSS, HIPAA, and many other standards demand that publicly accessible services be isolated.
- Simplified management – One ACL set governs everything in the DMZ, making audits less painful.
In practice, a screened subnet can be the difference between a quick patch and a full‑blown breach. I’ve seen companies lose hours of downtime because a mis‑configured web server had direct access to their AD domain controllers. A proper DMZ would have stopped that in its tracks.
How It Works (or How to Do It)
Below is a practical, vendor‑agnostic walk‑through. I’ll use Cisco ASA syntax for examples because it’s common, but the concepts translate to Palo Alto, Fortigate, or even open‑source firewalls like pfSense And that's really what it comes down to..
1. Plan Your IP Scheme
Pick a subnet that’s easy to remember and won’t clash with existing ranges.
| Zone | Subnet | Example Range |
|---|---|---|
| Internal LAN | 10.0.0.0/24 | 10.That's why 0. 0.Worth adding: 1‑10. 0.Worth adding: 0. Now, 254 |
| Screened Subnet (DMZ) | 10. Now, 0. Consider this: 200. 0/24 | 10.0.That's why 200. 1‑10.Which means 0. 200.Also, 254 |
| External | DHCP from ISP or 203. So 0. 113. |
Write this down, draw a quick diagram, and stick it on the wall. And 0 to the DMZ? So naturally, 0. 0.In practice, it saves you from “wait, why did we assign 10. ” moments later.
2. Create the Physical/Logical Interfaces
On a typical ASA you’ll have three interfaces:
interface GigabitEthernet0/0 # outside (internet)
nameif outside
security-level 0
ip address 203.0.113.5 255.255.255.0
interface GigabitEthernet0/1 # inside (internal LAN)
nameif inside
security-level 100
ip address 10.0.0.1 255.Day to day, 255. 255.
interface GigabitEthernet0/2 # dmz (screened subnet)
nameif dmz
security-level 50
ip address 10.1 255.200.0.255.255.
If you’re using a single‑firewall model, the “dmz” interface is just a second VLAN on the same box. In a dual‑firewall setup, the outer firewall’s DMZ interface connects to the inner firewall’s “outside” interface, forming the sandwich.
### 3. Define NAT Rules
You probably want the DMZ hosts to be reachable from the internet (e.g., a public web server) but you don’t want them to initiate outbound sessions that could be abused.
```bash
# Static NAT for a web server
object network WEB01
host 10.0.200.10
nat (dmz,outside) static 203.0.113.10
# Hide the rest of the DMZ behind the firewall’s outside IP
object network DMZ_NET
subnet 10.0.200.0 255.255.255.0
nat (dmz,outside) dynamic interface
If you have a dual‑firewall design, the inner firewall typically does “no‑nat” for DMZ‑to‑inside traffic (which you’ll block anyway) and lets the outer firewall handle the public translation Still holds up..
4. Build Access Control Lists (ACLs)
Here’s where the “screened” part lives. Start with a deny‑all stance and then open only what you need.
# Allow inbound HTTP/HTTPS to the web server
access-list DMZ_IN extended permit tcp any host 10.0.200.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.0.200.10 eq 443
# Allow outbound DNS from the DMZ (if the server needs to resolve names)
access-list DMZ_OUT extended permit udp any host 8.8.8.8 eq 53
access-list DMZ_OUT extended permit udp any host 8.8.8.8 eq 53
# Block everything else
access-list DMZ_IN extended deny ip any any
access-list DMZ_OUT extended deny ip any any
Apply the lists:
access-group DMZ_IN in interface dmz
access-group DMZ_OUT out interface dmz
Notice the “inside‑to‑dmz” traffic is not mentioned – by default the inner firewall (security‑level 100) can talk to the DMZ (security‑level 50). If you don’t want that, add a rule on the inner firewall to drop it The details matter here. Less friction, more output..
5. Enable Routing Between Zones
Most firewalls will automatically route between directly connected interfaces, but you may need static routes for remote sites And that's really what it comes down to..
route inside 0.0.0.0 0.0.0.0 10.0.0.254 # default route to upstream router
route dmz 0.0.0.0 0.0.0.0 10.0.200.254 # point DMZ traffic outward
If you have a separate router handling inter‑VLAN routing, make sure it knows about the DMZ subnet and points traffic back to the firewall.
6. Test, Verify, Harden
- Ping from an external host to the public IP (should reach the web server).
- Traceroute to confirm the packet hits the outer firewall, then the inner one, then the host.
- Port scan (nmap) from both inside and outside – you should only see the ports you opened.
Once the basics work, tighten timeouts, enable logging on the ACLs, and consider IDS/IPS signatures for the DMZ interfaces.
Common Mistakes / What Most People Get Wrong
-
Putting the DMZ on the same security level as the internal LAN
Security‑level numbers are more than just numbers; they dictate default traffic flow. A DMZ should sit at a lower level (e.g., 50) than the inside (100). If you forget, the firewall will allow inside‑to‑DMZ traffic without any ACLs Not complicated — just consistent.. -
Leaving “any any” permits in the ACL
It’s tempting to add a quick “permit ip any any” to get something working. That defeats the whole purpose of a screened subnet. Always start with a deny‑all and carve out exceptions. -
Forgetting NAT on the outer firewall
In a dual‑firewall setup, the inner firewall often thinks the DMZ host is on a private network and won’t route it to the internet. Without proper NAT on the outer box, outbound connections fail silently Took long enough.. -
Relying on a single firewall for both “outside” and “DMZ”
While a single‑firewall DMZ works, you lose the “double‑hop” protection that a true screened subnet provides. If the firewall itself is compromised, the attacker gains direct access to the DMZ hosts. -
Neglecting logging
A DMZ is a hunting ground for attackers. If you don’t log inbound connections, you won’t know when someone is probing your web server. Turn on syslog and keep the logs for at least 30 days Small thing, real impact. Worth knowing..
Practical Tips / What Actually Works
- Name your objects – “WEB01”, “MAIL01”, “DMZ_NET”. It makes ACLs readable and future audits painless.
- Use IPv6 where possible – many modern firewalls support IPv6 DMZs out of the box, and it future‑proofs your design.
- Separate management traffic – put a dedicated VLAN for firewall admin access (e.g., 10.0.10.0/24) and restrict it to specific IPs.
- Deploy a bastion host – if you need SSH or RDP into a DMZ server, place a hardened jump box in the DMZ and lock down direct access.
- Automate with scripts – a short Bash or PowerShell script that pushes the ACLs and NAT rules can save you from copy‑paste errors.
- Regularly scan the DMZ from the inside – schedule a quarterly nmap scan from the internal LAN to verify that no unintended ports are open.
FAQ
Q: Do I need two firewalls for a screened subnet?
A: Not strictly. One firewall with at least three interfaces (inside, outside, dmz) can create a screened subnet. Two firewalls give you an extra layer of defense, which is useful for high‑value assets Worth keeping that in mind..
Q: Can I put a database server in the DMZ?
A: Generally no. Databases should stay on the internal LAN and be accessed via an application server in the DMZ. If you must expose a DB, lock it down with strict source IP ACLs and encrypt all traffic.
Q: How does a screened subnet differ from a simple VLAN?
A: A VLAN only separates broadcast domains. A screened subnet adds firewall filtering and NAT, giving you controlled exposure to the internet.
Q: What port should I open for a VPN concentrator in the DMZ?
A: It depends on the VPN type. For IPsec, open UDP 500 and 4500 plus ESP (protocol 50). For SSL‑VPN, typically TCP 443. Always limit source IPs if possible.
Q: Is a screened subnet the same as a “perimeter network”?
A: Yes, the terms are interchangeable. Both describe a network segment that sits between the untrusted external network and the trusted internal network.
Setting up a screened subnet isn’t rocket science, but it does require a disciplined approach. Even so, start with a clean IP plan, lock down traffic with precise ACLs, and double‑check NAT and routing. The payoff? A network that lets the world knock on your door without handing over the keys to the house.
Give it a try on a lab environment first, then roll it out to production. Once you see the peace of mind that comes with that extra firewall sandwich, you’ll wonder how you ever lived without it. Happy configuring!
