Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
1
Replies

Cisco ASA - Virtual Contexts - Cascade Setup

fgfuentes
Level 1
Level 1

‎11-27-2017 02:40 PM - edited ‎02-21-2020 06:50 AM

Hello, due to some certifications that I need to get for my current platform, they request to setup a firewall between the DMZ and the inside network. I recently installed brand new Cisco ASAs 5545-x (v9.7) with cluster licensing, so I was thinking on setting up 2 contexts, one for each LAN on cascade mode. Of course I need to be able to reach the INSIDE servers from the DMZ since all the Databases are on the inside network (just specific ports)

 

I tried running a simulation of this architecture on the Cisco Packet Tracer (although you can only use a ASA 5505 with v8.4 but it should be the same but with some different commands) with the current setup: (image attached network_example.png)

 

1. DMZ Firewall/Network:

- outside interface connected to the simulated ISP (1.1.1.0)

- dmz interface connected to the DMZ network switch (172.23.0.0)

- dmz servers (with public address nat from ISP to test their connection to the outside world)

 

2. INSIDE Firewall/Network:

- outside interface connected to the DMZ network switch (172.23.0.254 - is this the correct way to set it up or it should go directly to another interface on the DMZ-Firewall ???)

- inside interface connected to the INSIDE network switch (192.168.16.0)

- inside servers

 

Questions/Problems:

1. I can reach the DMZ servers from the INSIDE network using NAT and access lists, but I haven't been able to reach the INSIDE servers from the DMZ network. I've tried using NAT, routing, access-lists but still haven't figure out how to reach them. Any clues on how should I proceed?

 

2.  I currently have 2 platforms (production/contingency) which are connected through a site-to-site VPN connection so the database servers can be synchronized periodically. Since the ISP connection is on the DMZ firewall, and the databases are on the INSIDE firewall, are the database servers from each platforms are going to be able to reach each other or should it be easier to get a dedicated connection between the 2 INSIDE Firewalls and set up the Site-to-Site VPN through this channel.

 

Firewall configs:


1. DMZ Firewall:

daycodmz#sh run

: Saved

:

ASA Version 8.4(2)

!

hostname daycodmz

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 1

!

 

interface Vlan1

nameif dmz

security-level 50

ip address 172.23.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.0

!

object network LAN

subnet 172.23.0.0 255.255.255.0

object network core

host 172.23.0.2

object network web

host 172.23.0.4

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

!

access-list in_to_internet extended permit tcp any any

access-list in_to_internet extended permit icmp any any

access-list in_to_inside extended permit icmp any any

!

access-group in_to_internet in interface outside

access-group in_to_inside in interface dmz

object network LAN

nat (dmz,outside) dynamic interface

object network core

nat (dmz,outside) static 1.1.1.3

object network web

nat (dmz,outside) static 1.1.1.4

 

2. INSIDE Firewall:

daycoinside#sh run

: Saved

:

ASA Version 8.4(2)

!

hostname daycoinside

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

 

 

interface Vlan2

nameif outside

security-level 0

ip address 172.23.0.254 255.255.255.0

!

interface Vlan3

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

!

object network inside

subnet 192.168.16.0 255.255.255.0

!

access-list in_to_internet extended permit icmp any any

access-list in_to_internet extended permit tcp any any

!

access-group in_to_internet in interface outside

object network inside

nat (inside,outside) dynamic interface

Labels:
Preview file
61 KB
0 Helpful
1 Reply 1

Bogdan Nita
VIP Alumni
VIP Alumni

‎11-28-2017 02:51 AM

1. I believe you are missing some routing config  and I do not see the point of having NAT on the INSIDE Firewall.

DMZ Firewall:

route dmz 192.168.16.0 255.255.255.0 172.23.0.254

INSIDE Firewall:

route outside 0.0.0.0 0.0.0.0 172.23.0.1

no nat (inside,outside) dynamic interface

 

2. Should not be a problem having the VPN terminated on one context and then sending the traffic to a different context.

 

I would avoid having my INSIDE Firewall in the same network as DMZ servers. I would set up a dedicated interface to the INSIDE Firewall.

 

Also, for testing purposes you are better off using a emulator like GNS3 instead of Packet Tracer, which is a simulator.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card