topic Re: DMZ Advice in Network Security

DMZ Advice

cowetacoit — Mon, 11 Mar 2019 16:11:44 GMT

I currently have a couple public servers on our internal network and i'm using the new Public Server option in ASA 8.2. What i have done is created a new interface on my asa called DMZ with sub interfaces in addtion to my current Inside and Outside. The DMZ is trunked into my LAN on a layer 2 vlan only so traffic isn't exposed. Outside Interface is 0, DMZ is 50, and inside is 100. I'm trying to figure out why i can't manage the DMZ server from my internal network. Any suggestions?

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 12:22:12 GMT

How are you trying to manage it (RDP, SSH)? Do you have an inside ACL in place? I sit allowing the traffic? Can you see the DMZ server from the ASA?

Re: DMZ Advice

cowetacoit — Wed, 02 Sep 2009 18:03:19 GMT

Well, let me explain a little further. i actually failed to add the new DMZ vlan on the bladecenter switch so now i can get to it. This DMZ server is a VM on an ibm bladecenter. It is sitting on its own vlan which gets trunked back to the ASA on a seperate interface. Now our server admin can't join it to our domain. I have the DMZ ACL to the Outside interface disabled and have the DMZ interface allowing ip any to the inside interface. what is a best practice for managing a DMZ server? Configuring rules to allow RDP, DNS, HTTP, etc?

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 18:07:35 GMT

IMO a DMZ server should not be part of the domain so only the necessary ports should be open. If security is important use IPSec or RPC over HTTPS. Since you're going from a higher security interface to a lower one, you'll need to NAT. Do you have that in place? What does the logs say when the server guys try and add it to the domain?

Re: DMZ Advice

cowetacoit — Wed, 02 Sep 2009 18:21:24 GMT

The only NAT rule i have in place is the internal IP of the server mapped to the public IP.

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 18:25:22 GMT

You will need one from DMZ to inside and DMZ to outside (if you want internet access).

Re: DMZ Advice

cowetacoit — Wed, 02 Sep 2009 18:30:20 GMT

could you provide a CLI example of the dmz to inside? Thanks for your time!

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 18:59:35 GMT

Sure-

There a couple of ways to do it. Let's assume the inside subnet is 192.168.5.0 /24.

Translate all IPs

==================

static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0

Translate a single IP

======================

static (inside,dmz) 192.168.5.10 192.168.5.10 255.255.255.255

You could also do NAT exempt.

Re: DMZ Advice

cowetacoit — Wed, 02 Sep 2009 19:24:38 GMT

From reading the documentation for 8.2, i saw the same sort of rule. we use an entire 10.0.0.0 /8 scope. when i add static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 the asa accepts it but the ASDM won't allow it. The NAT rule ended up displaying in the ASDM after i added it though. I was able to ping the DMZ IP before i added this NAT so is it necessary?

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 19:29:57 GMT

NAT is not required when going from a higher security interface to a lower (such as your ping). When you go from a lower one to a higher one you have to NAT. The NAT statement you put in only effects traffic sourcing from the DMZ destined to the inside. I don't use ASDM so I can't help too much on what you saw.

Re: DMZ Advice

cowetacoit — Wed, 02 Sep 2009 20:02:15 GMT

Ok, so the (inside,dmz) was backwards.

I changed it to static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 and we still can't contact the domain controller.

Re: DMZ Advice

Collin Clark — Wed, 02 Sep 2009 20:07:13 GMT

Now it's backwards, it should be-

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

It's a bit confusing but what we are doing is telling the ASA that when the DMZ server wants to talk to a server on the 10 network, translate it to the same 10 network IP.

Check your log when you try and add the server to the domain and post what you see.

Re: DMZ Advice

Jon Marshall — Wed, 02 Sep 2009 20:10:25 GMT

Michael

"Ok, so the (inside,dmz) was backwards."

No it wasn't. What Collin was explaining was that if you wanted to ping the DMZ from inside you do not need a NAT statement.

If however you wanted to initiate any connection from the DMZ to the inside then you will need

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

although personally i wouldn't use a static that big ie. the whole 10.0.0.0/8 internal network.

As for the domain controller thing i agree totally with Collin in that you shouldn't run a machine in the DMZ that is part of your internal domain - Windows networking is just not secure enough and you end up opening no end of ports.

Does it really need to be a member of the internal domain or is it just so you can remotely manage it ?

If you absolutely must do this then if you need to find out the ports

1) add the NAT rule as above

2) add an acl to the dmz interface

access-list DMZIN permit ip host 10.0.0.0 255.0.0.0 log

then you should at least be able to see by checking the logging what ports are being used.

Jon

Re: DMZ Advice

cowetacoit — Thu, 03 Sep 2009 16:38:42 GMT

Thanks guys, i think i have found the solution. I got it working and added a couple acls for the dmz server to communicate with the inside network. We're also going to be configuring something called vShield in VMWare 4.0.