Designing and Building Enterprise DMZs

Use this checklist in designing and configuring your PIX firewall:
Gather DMZ requirements.
Design the DMZ environment to the specification of the requirements.
Select one of the five PIX or four ASA firewall chassis.
Select the optional components of the PIX/ASA firewall.
Select the correct PIX/ASA OS license (Restricted, Unrestricted, Failover, and Failover Active/Active).
Optionally, select an encryption license (DES and 3DES).
Configure the PIX/ASA s console and terminal interfaces.
Set security levels on the PIX/ASA interfaces.
Set IP addresses and speed/duplex settings on the active interfaces.
Configure outbound NAT statements.
Configure inbound NAT statements.
Configure outbound access rules controlling access from internal resources to specific resources on the Internet or other less secure interfaces.
Configure inbound access rules controlling access to resources on the DMZ. Remember to be as specific as possible.
Configure static or dynamic routing.
Should high availability be required, configure the failover or stateful failover feature.
If required, configure URL filtering, cut-through proxy, application inspection, and intrusion detection.
Lock down SNMP and NTP.