topic ASA 5510 DMZ creation in Network Security

ASA 5510 DMZ creation

vipinrajrc — Mon, 11 Mar 2019 21:49:58 GMT

Hi,

I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.

My questions are

1) is traffic from inside to DMZ is permit by default?

2) What about DMZ to Inside traffic ?

3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside

4) What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?

5) Is it necessary to permit traffic from DMZ to inside?

6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?

Please share your advices

Thanks

Vipin

ASA 5510 DMZ creation

varrao — Mon, 14 Nov 2011 07:17:36 GMT

Hi Vipin,

Here are your answers:

1) is traffic from inside to DMZ is permit by default?

Yes, from higher security to lower, traffic is permitted by default.

2) What about DMZ to Inside traffic ?

No, you would need to allow the traffic through ACL.

3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside

If you have no nat-control enabled, then no need, if nat-cpontrol enabled, you would need it.

4) What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?

Yes, it is self-static and sort of a no nat statement. If going from DMZ to inside, the destination shoudl not be natted.

5) Is it necessary to permit traffic from DMZ to inside?

Yes, definitely.

6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?

Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only.

Hope that helps,

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Mon, 14 Nov 2011 08:12:01 GMT

Hi,


3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
If you have no nat-control enabled, then no need, if nat-cpontrol enabled, you would need it.
5) Is it necessary to permit traffic from DMZ to inside?
Yes, definitely.
6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only.

I have doubts on the above points.

1) What exactly is Nat-control?

2) What is the need to permit traffic from DMZ to inside.

3) "

Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only."

Webserver is publiching a webpage right? Also it is having a public IP address. So whenever we try to access that webpage it should go through internet, right?

If something like RDP it will go to through inside interface--ASA--DMZ interface -- webserver, right?

Is my concept is clear?

I am asking this because i need to get it clarified before implementaion.

Please advice

Thanks

Vipin

ASA 5510 DMZ creation

varrao — Mon, 14 Nov 2011 08:22:13 GMT

Hi Vipin,

Nat-control is a feature which when enabled on the ASA, would need transalation for every traffic on the ASA, if it is not enabled, you can just allow traffic through ACL.

Here's a reference guide for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

DMZ to inside access depends upon your requirement, if you don't need it, don't allow traffic. If you want traffic from inside to DMZ, that woudl be allowed by default.

To allow access to webpage on inside interface as well as from the internet, you would need to add two static commands:

lets say server public ip is 1.1.1.1 and private ip is 10.1.1.1

then:

static (dmz,outside) 1.1.1.1 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1

The traffic from inside interafce would go through the ASA only, and from outside it would come from internet and then go to DMZ.

Thats all you should need as far as Nat is concerned.

Hope that helps.

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Mon, 14 Nov 2011 08:41:45 GMT

Hi ,

Got it.

My requirement is as below.

1) configure DMZ with a server.( this serve is used to download data from other locations. i know the IP address of the other servers. they are publically available.)

2) Now this server is connected directly to a modem. So after DMZ creation also this will as this.

3) Need to access DMZ server from inside. By deault it is there right?

I will tell my plan. please suggest if it has any errors?

1) put the server in to DMZ interface

2) Configure a new network for DMZ

3) Configure static NAT for the server using static (dmz,outside) coammand

4) Permit rule for access this server from other servers

5) Permit static (inside,dmz) 192.168.1.0 192.168.1.0 for accessing DMZ server from inside host

Did i miss anything?

Please advice

Thanks

Vipin

ASA 5510 DMZ creation

varrao — Mon, 14 Nov 2011 08:51:52 GMT

Hi Vipin,

Yes, you are absolutely correct, as per your requirement, but just one thing, if your DMZ server is in the network 192.168.1.0 network, then you would need the following static:

static (dmz,inside) 192.168.1.0 192.168.1.0

Rest everything is good.

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Mon, 14 Nov 2011 08:57:32 GMT

Hi,

static (dmz,inside) 192.168.1.0 192.168.1.0 is this required? my inside is in the range of 192.168.1.0. DMZ will be in the range of 192.168.2.0.

Please Advice

Thanks

ASA 5510 DMZ creation

varrao — Mon, 14 Nov 2011 09:14:37 GMT

No, Nat would not be required for Inside, you would just need nat for DMZ;

static (dmz,inside) 192.168.2.0 192.168.2.0

For inside, you would need:

nat (inside) 1 0 0

global (dmz) 1 interface

Try it and let me know, it shoudl work fine.

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Tue, 15 Nov 2011 03:17:17 GMT

Please check the below scenario and configuration and let me know whether it will work or not

Assume my inside network is 192.168.1.0/24

outside network is 199.199.7.64/29

DMZ network is 192.168.2.0/24

DMZ server IP address --> 192.168.2.2

please see the below configuration which i am planning to implement

===================================
1) Confiure interfaces,IP addresses
===================================

interface Ethernet0/0
description "Connection to LAN"
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description "Connection to outside"
nameif outside
security-level 0
ip address 199.199.7.66 255.255.255.248
!
interface Ethernet0/2
description "DMZ"
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0

=====================================
2)Configuring PAT for inside and default route
=====================================

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 199.199.7.65 1

=====================================
3) Configure static NAT for DMZ server
=====================================

static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255

=====================================
4)RUle to permit traffic from outside to DMZ server
=====================================

access-list OUTSIDE_INSIDE extended permit Ip any host 199.199.7.67
access-group OUTSIDE_INSIDE in interface outside

====================================
5)RUle to permit traffic from DMZ server to outside
====================================

access-list DMZ_OUTSIDE extended permit ip host 192.168.2.2 any
access-group DMZ_OUTSIDE in interface DMZ

====================================
6)No NAT from inside to DMZ and DMZ to inside
====================================

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

====================================================================================

I am having some questions also.

1) is this configurations are right?

2) Is there anything wrong in the title 5 and title 6 ( i mean configuration i mentioned above)

3) is there anything i need to configure ?

please advice........

Thanks
Vipin

Re: ASA 5510 DMZ creation

varrao — Tue, 15 Nov 2011 03:24:40 GMT

Hi Vipin,

I do not find anything wrong in 6, but you need not configure 5, since by default traffic from higher security to lower security is permitted, even if you remove it, DMZ would be able to access internet.

Moreover this is not correct:

=====================================

3) Configure static NAT for DMZ server

=====================================

static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255

it shoudl be:

static (DMZ,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255

In 2, you would also need this global statement:

global (DMZ) 1 interface

Rest everything is fine.

Hope that helps,

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Tue, 15 Nov 2011 03:28:53 GMT

Hi,

Thanks, i got it

So it will work right? Also are you aware of the port numbers used for signature update of trend micro antivirus?

If you do please specify.

Thanks

Vipin

ASA 5510 DMZ creation

varrao — Tue, 15 Nov 2011 03:35:05 GMT

Hi Vipin,

Are you talking about CSC module or IPS module, in both the cases updates atre done through port 80 and 443.

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Tue, 15 Nov 2011 03:39:56 GMT

Hi,

I am not aware of these modules. it would be great if you can share some information regarding these modules. in a normal case which will be the port numbers for virus signature update.

I am also searching for the portnumbers.

Thanks

Vipin

ASA 5510 DMZ creation

varrao — Tue, 15 Nov 2011 03:49:02 GMT

Hi Vipin,

These modules use port 80 mand 443 for signature updates and other anti-virus updates. CSC updates from the Trendmicro servers and IPS from Cisco sites.

CSC - Content Security Module.

It is used for filtering and blocking web traffic like smtp,ftp,https,http and pop3.

IPS - Intrusion Prevention module

It is used to detect any intrusion based upon specific patterns defined in signatures.

Here are the docs for the 2:

CSC:

http://www.cisco.com/en/US/products/ps6823/index.html

IPS:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cliguide.html

Hope that helps.

Thanks,

Varun

ASA 5510 DMZ creation

vipinrajrc — Tue, 15 Nov 2011 04:03:03 GMT

Hi,

No No Not this. I am having a seperate antivirus server. It is from Trend Micro.

Thanks for your help

Vipin

ASA 5510 DMZ creation

varrao — Tue, 15 Nov 2011 04:09:10 GMT

I am not sure about Trend Micro, but if it has to go to some other server on the internet for updates, then it woudl use the ports mentioned above.

Varun

Re: ASA 5510 DMZ creation

vipinrajrc — Tue, 15 Nov 2011 04:13:45 GMT

Hi,

Thanks I will check and update. thanks for your help.....................

Vipin

ASA 5510 DMZ creation

varrao — Tue, 15 Nov 2011 05:09:34 GMT

Sure let me know if you face any issues

Thanks,

Varun