12-24-2010 11:22 AM - edited 03-11-2019 12:27 PM
Hi,
I'm looking for feedback on best-practices approach to create a DMZ with public IP addresses. It seems there are two options:
1.Have the ISP subnet the address block and assign one of these subnets to the DMZ. From that point forward it is simply a matter of routing and assigning the DMZ and public interfaces in to zones with appropriate policies applied.
2.Use BVI to bridge between the internet zone and the DMZ zone. This will allow the ISP address block to be bridged accross two interfaces. The bridged interfaces can be assigned to the public and DMZ zones with appropriate policies applied.
I'm wondering if there are pros/cons to approach number 2, since I do not have experience with this approach in a production environment. But more generally, I am looking for common/best-practices approache(s) to creating a DMZ with public ip addresses.
Thanks!
12-24-2010 04:05 PM
If you bridge the interface to the DMZ with the interface connecting to the internet your router bridges packets instead of routing them and therefore layer 3 security won't be applied to this traffic.
You can also use private IP addresses in your DMZ and use static NAT rules to make them accessible from the internet.
12-24-2010 04:57 PM
Unfortunatley, NATing is not an option for this application. The devices in the DMZ must be addressed with non-NATed public IP addresses.
My understanding of zone-based firewall is that upper-layer inspection is possible between the interfaces that make up the bridge group. Is this incorrect?
Thanks!
12-24-2010 05:10 PM
Sorry you're right it is indeed possible to configure IOS as a transparent firewall: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_trans.html#wp1052681
If possible I would still prefer having a /30 subnet to the ISP and another subnet on the DMZ. This makes it easier to configure and troubleshoot
12-24-2010 07:07 PM
Hi,
As of now you cannot bridge two interfaces of ASA for them to be in the same subnet.
If you use firewall in transparent mode then security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.Further, in single context mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
With transparent firewall mode, Each directly connected network must be on the same subnet.
Considering all these things, we can split the IP block provided by the ISP into 2. We can then assign one subnet to the DMZ and the other one to the outside. Your inside n/w remains untouched!
Hope this helps!!
Cheers,
Manasi
12-24-2010 07:09 PM
Also, I am not sure if we are taking about an ASA here or a router with Zone based firewall configured.
The above explanation is for ASA device.
Thanks,
Manasi
12-25-2010 02:06 PM
Manasi,
Thanks. Yes I was referring to IOS firewall functionality I suppose. The following link indicates that more than two interfaces can be configured when a birdged/transparent firewall is configured on an IOS zone-pair firewall. I'm suprised that an ASA cannot do the same.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#req
So is splitting the ISP address block the common approach. The downside of this is that I would burn two additional IPs out of my block, and I'd also have to participate in routing with my ISP. Is it possible to simply have a privately addressed connection to my perimeter device, i.e. 10.10.10.0/30, then I could manage the routes between the subnetted public IP block?
Again, I'm mainly interested in common/typical approaches to creating publicly addressed DMZs. What does the crowd say?
12-25-2010 08:09 PM
ASA would be getting similar functionality in later versions.
Well since we are talking about IOS firewall here, yes we can do bridging.
But if you talk about the crowd, I have generally seen them spliting the IP block!!
Cheers,
Manasi!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: