Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5220
Views
0
Helpful
7
Replies

Approaches for DMZ with public IP addresses

mahoneave
Level 1
Level 1

‎12-24-2010 11:22 AM - edited ‎03-11-2019 12:27 PM

Hi,

I'm looking for feedback on best-practices approach to create a DMZ with public IP addresses.  It seems there are two options:

1.Have the ISP subnet the address block and assign one of these subnets to the DMZ.  From that point forward it is simply a matter of routing and assigning the DMZ and public interfaces in to zones with appropriate policies applied.
2.Use BVI to bridge between the internet zone and the DMZ zone.  This will allow the ISP address block to be bridged accross two interfaces.  The bridged interfaces can be assigned to the public and DMZ zones with appropriate policies applied.


I'm wondering if there are pros/cons to approach number 2, since I do not have experience with this approach in a production environment.  But more generally, I am looking for common/best-practices approache(s) to creating a DMZ with public ip addresses.

Thanks!

Labels:
0 Helpful
7 Replies 7

jgraafmans
Level 1
Level 1

‎12-24-2010 04:05 PM

If you bridge the interface to the DMZ with the interface connecting to the internet your router bridges packets instead of routing them and therefore layer 3 security won't be applied to this traffic.


You can also use private IP addresses in your DMZ and use static NAT rules to make them accessible from the internet.

0 Helpful

mahoneave
Level 1
Level 1
In response to jgraafmans

‎12-24-2010 04:57 PM

Unfortunatley, NATing is not an option for this application.  The devices in the DMZ must be addressed with non-NATed public IP addresses.

My understanding of zone-based firewall is that upper-layer inspection is possible between the interfaces that make up the bridge group.  Is this incorrect?

Thanks!

0 Helpful

jgraafmans
Level 1
Level 1
In response to mahoneave

‎12-24-2010 05:10 PM

Sorry you're right it is indeed possible to configure IOS as a transparent firewall: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_trans.html#wp1052681

If possible I would still prefer having a /30 subnet to the ISP and another subnet on the DMZ. This makes it easier to configure and troubleshoot

0 Helpful

manasjai
Cisco Employee
Cisco Employee

‎12-24-2010 07:07 PM

Hi,

As of now you cannot bridge two interfaces of ASA for them  to be in the same subnet.

If you use firewall in transparent mode then security appliance uses an inside interface and an           outside interface only. If your platform includes a dedicated management           interface, you can also configure the management interface or subinterface for           management traffic only.Further, in single context mode, you can only use two data interfaces (and the           dedicated management interface, if available) even if your security appliance           includes more than two interfaces.

With transparent firewall mode, Each directly connected network must be on the same subnet.

Considering all these things, we can split the IP block provided by the ISP into 2. We can then assign one subnet to the DMZ and the other one to the outside. Your inside n/w remains untouched!

Hope this helps!!

Cheers,

Manasi

0 Helpful

manasjai
Cisco Employee
Cisco Employee
In response to manasjai

‎12-24-2010 07:09 PM

Also, I am not sure if we are taking about an ASA here or a router with Zone based firewall configured.

The above explanation is for ASA device.

Thanks,

Manasi

0 Helpful

mahoneave
Level 1
Level 1
In response to manasjai

‎12-25-2010 02:06 PM

Manasi,

Thanks.  Yes I was referring to IOS firewall functionality I suppose.  The following link indicates that more than two interfaces can be configured when a birdged/transparent firewall is configured on an IOS zone-pair firewall.  I'm suprised that an ASA cannot do the same.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#req

So is splitting the ISP address block the common approach.  The downside of this is that I would burn two additional IPs out of my block, and I'd also have to participate in routing with my ISP.  Is it possible to simply have a privately addressed connection to my perimeter device, i.e. 10.10.10.0/30, then I could manage the routes between the subnetted public IP block?

Again, I'm mainly interested in common/typical approaches to creating publicly addressed DMZs.  What does the crowd say?

0 Helpful

manasjai
Cisco Employee
Cisco Employee
In response to mahoneave

‎12-25-2010 08:09 PM

ASA would be getting similar functionality in later versions.

Well since we are talking about IOS firewall here, yes we can do bridging.

But if you talk about the crowd, I have generally seen them spliting the IP block!!

Cheers,

Manasi!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card