topic Re: Setting up DMZ on ASA in Network Security

Setting up DMZ on ASA

samirshaikh52 — Mon, 11 Mar 2019 18:35:05 GMT

Hi Community,

I've an Cisco ASA 5520 with following interfaces setup:

Outside (0) 78.93.*.*

Inside ( 100) 10.1.2.20

Now I am planning to setup dmz and there will be webserver in that zone

I need help for two things:

1. How do I allow people accessing this webserver from Public Network

2, How do I allow only my pc residing in inside network to access this server and vice versa

Any will would be highly appreciated.

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:00:33 GMT

Hi,

Normally this is what you'll have:

inside = security level 100

outside = security level 0

dmz = security level 50

To allow traffic from outside to dmz you need:

static (dmz,outside) public_IP private_IP --> public_IP is the NATed IP for the web server and private_IP is the real IP

access-list outside_in permit tcp any host public_IP eq 80

access-group outside_in in interface outside

The above ACL will permit only TCP port 80 to the web server from the outside and it's applied to the outside interface.

In order to allow communication from inside to dmz, you just need NAT:

nat (inside) 1 0 0

global (dmz) 1 interface

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 00:07:49 GMT

Thanks for the prompt response

nat (inside) 1 0 0
global (dmz) 1 interface

This will allow all inside hosts to commucate with dmz server,

But in my case, I want to allow single host (that is my pc ) to communicate with this server.

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:11:56 GMT

To allow a single PC instead of having:

nat (inside) 1 0 0

global (dmz) 1 interface

You change it to this:

nat (inside) 1 x.x.x.x 255.255.255.255

global (dmz) 1 interface

Replace x.x.x.x with the IP.

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 00:13:41 GMT

What would happen if i make static NAT ?

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:18:45 GMT

You can create a static NAT:

Assuming your inside IP is 10.0.0.1

static (inside,dmz) 10.0.0.1 10.0.0.1

Static NAT is normally done for inbound access (from a lower security interface to a higher security)

Regular NAT is normally done for outbound traffic (that's why I gave you the example).

Short answer is... either way will work.

Problem with static NAT is that the DMZ will have access to initiate traffic to your PC (if allowed by ACL)

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 00:25:51 GMT

I have heard something about Exempt NAT. Perhaps I didn't got any idea from web.

Please can you explain with simple example

Thanks for your help

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:30:32 GMT

Exempt NAT is NAT 0 with ACL

Allows you to define which traffic to bypass NAT and it has the highest preference in the NAT priority check done by the ASA.

Normally used to bypass NAT for VPN traffic

ie.

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

The above will allow traffic to flow between both networks with NAT.

If you do the example of the static...

static (inside,dmz) 10.0.0.1 10.0.0.1

then you are allowing traffic to pass with NAT as well (this is static Identity NAT because you're not really translating the address anyway).

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 00:33:20 GMT

If i am not wrong, can I just create an ACL to allow traffic from inside to dmz without NAT...Is is possible to make it ?

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:37:05 GMT

Yes.

Depending on the version.

If you have nat-control enabled (can check it with sh run nat-control) then you MUST have a NAT rule for the ASA to allow traffic to pass between interfaces.

If you disable nat-control, then you can pass traffic without NAT.

However, an ACL is not required to pass traffic from inside to dmz.

An ACL is required to pass traffic from a lower security to a higher security (like in the case from dmz to inside).

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 00:47:41 GMT

This is what i have done after your great explanation

Static NAT

static (inside,dmz) 10.1.2.18 10.1.2.18 netmask 255.255.255.255

Created an ACL to allow the traffice from dmz to inside

access-list DMZ-1_access_in line 2 extended permit tcp host 172.16.1.X object-group MYPC object-group sqlnet

Re: Setting up DMZ on ASA

Federico Coto Fajardo — Sun, 05 Sep 2010 00:51:25 GMT

Remember the important rules:

Traffic from higher security to lower security
requires NAT (if having nat-control)

Traffic from lower security to higher security
requires STATIC NAT and ACL

If you already have an ACL applied to an interface, i.e. inside,
then all traffic that should be permitted must be explicitly defined.

If you really understand the above, you're done (for the basics).

Federico.

Re: Setting up DMZ on ASA

samirshaikh52 — Sun, 05 Sep 2010 01:17:34 GMT

Thank you so much to all clear all my doubts

Thats was quiter helpful.