Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
0
Helpful
1
Replies

Best Practice for Segregating Hosts in a DMZ using an ASA5510

Roland.Corbet
Level 1
Level 1

‎12-06-2010 08:37 AM - edited ‎03-11-2019 12:18 PM

We are about to deploy a Microsoft Hyper-V High Availability cluster and I want to understand how my thinking on segregating the servers in the DMZ aligns with best practice.

Each server in the Hyper-V cluster follows best practice and has a dedicated NIC for DMZ traffic.

The DMZ contains servers for clients that we provide hosting for and we wish to achieve a scenario where each server in the DMZ:

  • can communicate with the Internet
  • is NOT permitted to communicate with another other client's servers
  • must be able to communicate with the Active Directory Domain Controller (AD DC) for the DMZ domain

In order to achieve this in our environment, I am proposing the following:

  • Set VLAN ID on each Hyper-V Guest NIC to a unique ID per client (i.e. each client will get a dedicated VLAN id and corresponding subnet range in private IP address space - broken down into subnets of 8 IPs to allow for a little future growth.  It's rare that a client has more than 2 or 3 servers hosted with us.)
  • Configure Dell PowerConnect 6224s to trunk the multiple VLANs up to the ASA5510.
  • Ensure that the Dell 6224 does not offer any L3 routing that would bypass the ASA5510.
  • Configure a VLAN and Subnet for the AD DC
  • On the ASA5510 set up the following:
    • NAT + ACLs to permit each VM to access the Internet via a static IP address on the outside interface of the ASA.
    • ACLs to permit the each client's VLAN/Subnet to communicate with the AD DC VLAN and Subnet.
    • Set all DMZ VLANs / Subnets to the same security level, and ensure that "communication between interfaces on the same level" is not permitted.

Any comments on the above, or suggestions for alternative methods would be greatly appreciated.

Kind regards,

Roland

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-06-2010 10:51 AM

Roland,

So you are proposing putting the machines on different vlans, trunking them to the ASA and having the ASA do the access control between the vlan interfaces. It looks good.

Another option would be private vlans, but that is not as flexible as a firewall that could do more checks and policy enforcement.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card