Cisco ASA - Virtual Contexts - Cascade Setup

fgfuentes — Fri, 21 Feb 2020 14:50:23 GMT

Hello, due to some certifications that I need to get for my current platform, they request to setup a firewall between the DMZ and the inside network. I recently installed brand new Cisco ASAs 5545-x (v9.7) with cluster licensing, so I was thinking on setting up 2 contexts, one for each LAN on cascade mode. Of course I need to be able to reach the INSIDE servers from the DMZ since all the Databases are on the inside network (just specific ports)

I tried running a simulation of this architecture on the Cisco Packet Tracer (although you can only use a ASA 5505 with v8.4 but it should be the same but with some different commands) with the current setup: (image attached network_example.png)

1. DMZ Firewall/Network:

- outside interface connected to the simulated ISP (1.1.1.0)

- dmz interface connected to the DMZ network switch (172.23.0.0)

- dmz servers (with public address nat from ISP to test their connection to the outside world)

2. INSIDE Firewall/Network:

- outside interface connected to the DMZ network switch (172.23.0.254 - is this the correct way to set it up or it should go directly to another interface on the DMZ-Firewall ???)

- inside interface connected to the INSIDE network switch (192.168.16.0)

- inside servers

Questions/Problems:

1. I can reach the DMZ servers from the INSIDE network using NAT and access lists, but I haven't been able to reach the INSIDE servers from the DMZ network. I've tried using NAT, routing, access-lists but still haven't figure out how to reach them. Any clues on how should I proceed?

2. I currently have 2 platforms (production/contingency) which are connected through a site-to-site VPN connection so the database servers can be synchronized periodically. Since the ISP connection is on the DMZ firewall, and the databases are on the INSIDE firewall, are the database servers from each platforms are going to be able to reach each other or should it be easier to get a dedicated connection between the 2 INSIDE Firewalls and set up the Site-to-Site VPN through this channel.

Firewall configs:

1. DMZ Firewall:

daycodmz#sh run

: Saved

ASA Version 8.4(2)

hostname daycodmz

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 1

interface Vlan1

nameif dmz

security-level 50

ip address 172.23.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.0

object network LAN

subnet 172.23.0.0 255.255.255.0

object network core

host 172.23.0.2

object network web

host 172.23.0.4

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

access-list in_to_internet extended permit tcp any any

access-list in_to_internet extended permit icmp any any

access-list in_to_inside extended permit icmp any any

access-group in_to_internet in interface outside

access-group in_to_inside in interface dmz

object network LAN

nat (dmz,outside) dynamic interface

object network core

nat (dmz,outside) static 1.1.1.3

object network web

nat (dmz,outside) static 1.1.1.4

2. INSIDE Firewall:

daycoinside#sh run

: Saved

ASA Version 8.4(2)

hostname daycoinside

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Vlan2

nameif outside

security-level 0

ip address 172.23.0.254 255.255.255.0

interface Vlan3

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

object network inside

subnet 192.168.16.0 255.255.255.0

access-list in_to_internet extended permit icmp any any

access-list in_to_internet extended permit tcp any any

access-group in_to_internet in interface outside

object network inside

nat (inside,outside) dynamic interface

Re: Cisco ASA - Virtual Contexts - Cascade Setup

Bogdan Nita — Tue, 28 Nov 2017 10:51:01 GMT

1. I believe you are missing some routing config and I do not see the point of having NAT on the INSIDE Firewall.

DMZ Firewall:

route dmz 192.168.16.0 255.255.255.0 172.23.0.254

INSIDE Firewall:

route outside 0.0.0.0 0.0.0.0 172.23.0.1

no nat (inside,outside) dynamic interface

2. Should not be a problem having the VPN terminated on one context and then sending the traffic to a different context.

I would avoid having my INSIDE Firewall in the same network as DMZ servers. I would set up a dedicated interface to the INSIDE Firewall.

Also, for testing purposes you are better off using a emulator like GNS3 instead of Packet Tracer, which is a simulator.

topic Re: Cisco ASA - Virtual Contexts - Cascade Setup in Network Security

Cisco ASA - Virtual Contexts - Cascade Setup

Re: Cisco ASA - Virtual Contexts - Cascade Setup