topic asa configuration with dmz in Network Security

asa configuration with dmz

BENJAMIN FUERTES — Tue, 12 Mar 2019 01:27:35 GMT

I have ASA Version 8.0(5) and its configure nat-control
But sometimes i confuse with the a lot of infomacion of how configure a dmz that i found on the web.
So i wrote the configuracion i want to use, and i really appreciate your advise. for example if i hace to change or add some parameters .
As you will read i separated the configuracion by traffic.

This is the configuration i want to implement on the firewall

Trafic from inside to dmz: i just want thar form inside i can access to specific servers
access-list INSIDE extended permit tcp host 10.117.210.55 host 192.168.69.11 object-group PUERTOS-OWA
access-list INSIDE extended permit tcp host 10.117.210.56 host 192.168.69.11 object-group PUERTOS-OWA

access-list NO-NAT-0 extended permit ip host 10.117.210.56 host 192.168.69.11
access-list NO-NAT-0 extended permit ip host 10.117.210.55 host 192.168.69.11

ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.56 object-group PUERTOS-OWA
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.55 object-group PUERTOS-OWA

nat (inside) 0 access-list NO-NAT-0
accces-group in interface inside

***************************************************************************************
Traffic from outside to dmz

static (DMZ-owa , outside) 186.x.x.x 192.168.69.10 netmask 255.255.255.255

access-list OUTSIDE EX PERMIT TCP ANY HOST 186.x.x.x EQ 25

access-group OUTSIDE in interface outside

***************************************************************************************

Trafic from dmz to inside:just want from dmz access to specific inside host.

ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.61 EQ 53
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.62 EQ 53
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123
ACCESS-LIST DMZ EX PERMIT UDP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123

ACCESS-LIST DMZ-NAT0 EX PERMIT IP HOST 192.168.69.11 host 10.117.210.62
ACCESS-LIST DMZ-NAT0 EX PERMIT IP HOST 192.168.69.11 host 10.117.210.61

ACCESS-LIST DMZ-NAT0 EX PERMIT IP HOST 192.168.69.11 host 10.117.210.44

nat (dmz-owa) 0 access-list DMZ-NAT0

access-group DMZ-NAT0 in interface DMZ-OWA

Regards..

asa configuration with dmz

Jouni Forss — Fri, 12 Apr 2013 15:58:41 GMT

Hi,

Just a couple of quick questions for a start.

Is the "dmz-owa" interface a totally new interface thats not yet in use? Is these the first configurations for that interface.
Do you have any need to NAT traffic between the whole "dmz-owa" and "inside" networks? Or should both of the network be visible to eachother with their original IP addresses?

Atleast one thing that stands out in the above configuration is that on the "dmz-owa" interface you have actually attached the NAT0 ACL as the interface ACL instead of the other ACL created to be the interface ACL, atleast this is what I assume.

- Jouni

asa configuration with dmz

BENJAMIN FUERTES — Fri, 12 Apr 2013 16:15:37 GMT

HI, dmz-owa is a new interface that want to configure.

DMZ servers receive incoming traffic from the outside.

those same dmz-servers need to communicate with some servers on the internal network.

I would like to know which is correct and safe way not to compromise internal servers.

Re: asa configuration with dmz

Jouni Forss — Fri, 12 Apr 2013 16:26:02 GMT

Hi,

I am just wondering about the NAT part of your setup. I personally try to keep the NAT setup as simple as possible.

If you for example wanted to configure NAT0 for all traffic between the "inside" and "dmz-owa" I would do it in the following way

NAT0 Configurations for INSIDE and DMZ-OWA

Presuming the networks are
- inside = 10.117.210.0/24
- dmz-owa = 192.168.69.0/24

access-list INSIDE-NAT0 remark NO NAT for INSIDE to DMZ-OWA Traffic

access-list INSIDE-NAT0 permit ip 10.117.210.0 255.255.255.0 192.168.69.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list DMZ-OWA-NAT0 remark NO NAT for DMZ-OWA to INSIDE Traffic

access-list DMZ-OWA-NAT0 permit ip 192.168.69.0 255.255.255.0 10.117.210.0 255.255.255.0

nat (dmz-owa) 0 access-list DMZ-OWA-NAT0

This would make it so that both networks could reach eachother with their original IP addresses.

You would still the ACLs you mention to control what traffic is allowed on the firewall interfaces.

I dont think there is anything wrong with the above configurations but I would just consider doing the NAT0 configuration more broadly by doing it for the whole networks and leaving the traffic controlling to the interface ACLs instead of NAT / nat-control

But if the above NAT0 configuration is possible naturally depends also on the existing configurations on the firewall which I have not seen.

- Jouni

asa configuration with dmz

BENJAMIN FUERTES — Fri, 12 Apr 2013 16:57:36 GMT

thanks for your help ,

i read on a link that if i want to pass traffic from lower security level to a high security level i have to use static nat if i use nat-control. and if i not use nat-control i just have to use acclist. it is correct what i read? can you explain me that?

by the other hand what you told me that is correct the configuration that i want to do but will be better if i do this change in the acl:

Trafic from inside to dmz:

access-list INSIDE extended permit tcp host 10.117.210.55 host 192.168.69.11 object-group PUERTOS-OWA

access-list INSIDE extended permit tcp host 10.117.210.56 host 192.168.69.11 object-group PUERTOS-OWA

access-list INSIDE-NAT0 remark NO NAT for INSIDE to DMZ-OWA Traffic

access-list INSIDE-NAT0 permit ip 10.117.210.0 255.255.255.0 192.168.69.0 255.255.255.0

Trafic from dmz to inside

ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.61 EQ 53

ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.62 EQ 53

ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123

ACCESS-LIST DMZ EX PERMIT UDP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123

access-list DMZ-OWA-NAT0 remark NO NAT for DMZ-OWA to INSIDE Traffic

access-list DMZ-OWA-NAT0 permit ip 192.168.69.0 255.255.255.0 10.117.210.0 255.255.255.0

and with the access-list that are applied on the interface i control what servers could enter , so if i want in the future add a new server i just have to add a new accls on the ACL applied in the interface. is correct?

i just wondering something else that i found on the web.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

in the part that show the example of dmz to inside i dont understand why in the configuration used in the stactic configuration the ip 192.168.2.20

if the ip of the dmz-server is 192.168.1.10 , i think that should be

static (inside,DMZ)192.168.1.10 172.20.1.5 netmask 255.255.255.255 and replace the ip 192.168.2.20 for 192.168.1.10 in the acces-list. but if i am wrong please explainn to me.

Thanks for all your help.

Re: asa configuration with dmz

Jouni Forss — Fri, 12 Apr 2013 17:13:09 GMT

Hi,

The idea of the configuration I mentioned is to simply make sure that NO NAT is done between the 2 local networks you have. And as you say you could now just use the interface ACLs to control which traffic should pass the interface ACL to the other network.

As for the linked example,

I dont really understand why would I for example want to NAT my local network addresses. To me it seems just as something that isnt needed and which would result in more complexity to the network. I am not sure what the purpose of the NAT is in the documents situation. Maybe its just an example of the Static NAT configuration but I dont see to NAT the IP address from the INSIDE to DMZ in that situation. Then again I havent read the whole document through.

EDIT: I guess the point of the Static NAT configuration in the document is that "nat-control" is enabled and therefore every connection going through the firewall requires a NAT configuration. So you would for example need a "static" statement between your local interfaces/networks for the traffic to be allowed through.

How you configure your setup is naturally up to you.

You can use the NAT0 configuration between the whole networks and control the traffic with ACLs.

You have also the option to configure Identity NAT which would enable the networks to form connection using the original IP addressing

That configuration would probably look something like this

static (inside,dmz-owa) 10.117.210.0 10.117.210.0 netmask 255.255.255.0

- Jouni

Message was edited by: Jouni Forss

asa configuration with dmz

BENJAMIN FUERTES — Fri, 12 Apr 2013 17:18:44 GMT

thank you very much, i appreciate your assistance.

there is no confuse know.