11-13-2011 11:05 PM - edited 03-11-2019 02:49 PM
Hi,
I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.
My questions are
1) is traffic from inside to DMZ is permit by default?
2) What about DMZ to Inside traffic ?
3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
4) What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?
5) Is it necessary to permit traffic from DMZ to inside?
6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
Please share your advices
Thanks
Vipin
Solved! Go to Solution.
11-14-2011 07:24 PM
Hi Vipin,
I do not find anything wrong in 6, but you need not configure 5, since by default traffic from higher security to lower security is permitted, even if you remove it, DMZ would be able to access internet.
Moreover this is not correct:
=====================================
3) Configure static NAT for DMZ server
=====================================
static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
it shoudl be:
static (DMZ,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
In 2, you would also need this global statement:
global (DMZ) 1 interface
Rest everything is fine.
Hope that helps,
Thanks,
Varun
11-13-2011 11:17 PM
Hi Vipin,
Here are your answers:
1) is traffic from inside to DMZ is permit by default?
Yes, from higher security to lower, traffic is permitted by default.
2) What about DMZ to Inside traffic ?
No, you would need to allow the traffic through ACL.
3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
If you have no nat-control enabled, then no need, if nat-cpontrol enabled, you would need it.
4) What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?
Yes, it is self-static and sort of a no nat statement. If going from DMZ to inside, the destination shoudl not be natted.
5) Is it necessary to permit traffic from DMZ to inside?
Yes, definitely.
6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only.
Hope that helps,
Thanks,
Varun
11-14-2011 12:12 AM
Hi,
3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
If you have no nat-control enabled, then no need, if nat-cpontrol enabled, you would need it.
5) Is it necessary to permit traffic from DMZ to inside?
Yes, definitely.
6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only.
I have doubts on the above points.
1) What exactly is Nat-control?
2) What is the need to permit traffic from DMZ to inside.
3) "
Depends on your nat translation, if you want users to access the DMZ servers on public ip or private ip. In both the cases the request would go through ASA only."
Webserver is publiching a webpage right? Also it is having a public IP address. So whenever we try to access that webpage it should go through internet, right?
If something like RDP it will go to through inside interface--ASA--DMZ interface -- webserver, right?
Is my concept is clear?
I am asking this because i need to get it clarified before implementaion.
Please advice
Thanks
Vipin
11-14-2011 12:22 AM
Hi Vipin,
Nat-control is a feature which when enabled on the ASA, would need transalation for every traffic on the ASA, if it is not enabled, you can just allow traffic through ACL.
Here's a reference guide for it:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857
DMZ to inside access depends upon your requirement, if you don't need it, don't allow traffic. If you want traffic from inside to DMZ, that woudl be allowed by default.
To allow access to webpage on inside interface as well as from the internet, you would need to add two static commands:
lets say server public ip is 1.1.1.1 and private ip is 10.1.1.1
then:
static (dmz,outside) 1.1.1.1 10.1.1.1
static (dmz,inside) 1.1.1.1 10.1.1.1
The traffic from inside interafce would go through the ASA only, and from outside it would come from internet and then go to DMZ.
Thats all you should need as far as Nat is concerned.
Hope that helps.
Thanks,
Varun
11-14-2011 12:41 AM
Hi ,
Got it.
My requirement is as below.
1) configure DMZ with a server.( this serve is used to download data from other locations. i know the IP address of the other servers. they are publically available.)
2) Now this server is connected directly to a modem. So after DMZ creation also this will as this.
3) Need to access DMZ server from inside. By deault it is there right?
I will tell my plan. please suggest if it has any errors?
1) put the server in to DMZ interface
2) Configure a new network for DMZ
3) Configure static NAT for the server using static (dmz,outside) coammand
4) Permit rule for access this server from other servers
5) Permit static (inside,dmz) 192.168.1.0 192.168.1.0 for accessing DMZ server from inside host
Did i miss anything?
Please advice
Thanks
Vipin
11-14-2011 12:51 AM
Hi Vipin,
Yes, you are absolutely correct, as per your requirement, but just one thing, if your DMZ server is in the network 192.168.1.0 network, then you would need the following static:
static (dmz,inside) 192.168.1.0 192.168.1.0
Rest everything is good.
Thanks,
Varun
11-14-2011 12:57 AM
Hi,
static (dmz,inside) 192.168.1.0 192.168.1.0 is this required? my inside is in the range of 192.168.1.0. DMZ will be in the range of 192.168.2.0.
Please Advice
Thanks
11-14-2011 01:14 AM
No, Nat would not be required for Inside, you would just need nat for DMZ;
static (dmz,inside) 192.168.2.0 192.168.2.0
For inside, you would need:
nat (inside) 1 0 0
global (dmz) 1 interface
Try it and let me know, it shoudl work fine.
Thanks,
Varun
11-14-2011 07:17 PM
Please check the below scenario and configuration and let me know whether it will work or not
Assume my inside network is 192.168.1.0/24
outside network is 199.199.7.64/29
DMZ network is 192.168.2.0/24
DMZ server IP address --> 192.168.2.2
please see the below configuration which i am planning to implement
===================================
1) Confiure interfaces,IP addresses
===================================
interface Ethernet0/0
description "Connection to LAN"
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description "Connection to outside"
nameif outside
security-level 0
ip address 199.199.7.66 255.255.255.248
!
interface Ethernet0/2
description "DMZ"
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
=====================================
2)Configuring PAT for inside and default route
=====================================
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 199.199.7.65 1
=====================================
3) Configure static NAT for DMZ server
=====================================
static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
=====================================
4)RUle to permit traffic from outside to DMZ server
=====================================
access-list OUTSIDE_INSIDE extended permit Ip any host 199.199.7.67
access-group OUTSIDE_INSIDE in interface outside
====================================
5)RUle to permit traffic from DMZ server to outside
====================================
access-list DMZ_OUTSIDE extended permit ip host 192.168.2.2 any
access-group DMZ_OUTSIDE in interface DMZ
====================================
6)No NAT from inside to DMZ and DMZ to inside
====================================
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
====================================================================================
I am having some questions also.
1) is this configurations are right?
2) Is there anything wrong in the title 5 and title 6 ( i mean configuration i mentioned above)
3) is there anything i need to configure ?
please advice........
Thanks
Vipin
11-14-2011 07:24 PM
Hi Vipin,
I do not find anything wrong in 6, but you need not configure 5, since by default traffic from higher security to lower security is permitted, even if you remove it, DMZ would be able to access internet.
Moreover this is not correct:
=====================================
3) Configure static NAT for DMZ server
=====================================
static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
it shoudl be:
static (DMZ,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
In 2, you would also need this global statement:
global (DMZ) 1 interface
Rest everything is fine.
Hope that helps,
Thanks,
Varun
11-14-2011 07:28 PM
Hi,
Thanks, i got it
So it will work right? Also are you aware of the port numbers used for signature update of trend micro antivirus?
If you do please specify.
Thanks
Vipin
11-14-2011 07:35 PM
Hi Vipin,
Are you talking about CSC module or IPS module, in both the cases updates atre done through port 80 and 443.
Thanks,
Varun
11-14-2011 07:39 PM
Hi,
I am not aware of these modules. it would be great if you can share some information regarding these modules. in a normal case which will be the port numbers for virus signature update.
I am also searching for the portnumbers.
Thanks
Vipin
11-14-2011 07:49 PM
Hi Vipin,
These modules use port 80 mand 443 for signature updates and other anti-virus updates. CSC updates from the Trendmicro servers and IPS from Cisco sites.
CSC - Content Security Module.
It is used for filtering and blocking web traffic like smtp,ftp,https,http and pop3.
IPS - Intrusion Prevention module
It is used to detect any intrusion based upon specific patterns defined in signatures.
Here are the docs for the 2:
CSC:
http://www.cisco.com/en/US/products/ps6823/index.html
IPS:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cliguide.html
Hope that helps.
Thanks,
Varun
11-14-2011 08:03 PM
Hi,
No No Not this. I am having a seperate antivirus server. It is from Trend Micro.
Thanks for your help
Vipin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide