09-02-2009 04:14 AM - edited 03-11-2019 09:11 AM
I currently have a couple public servers on our internal network and i'm using the new Public Server option in ASA 8.2. What i have done is created a new interface on my asa called DMZ with sub interfaces in addtion to my current Inside and Outside. The DMZ is trunked into my LAN on a layer 2 vlan only so traffic isn't exposed. Outside Interface is 0, DMZ is 50, and inside is 100. I'm trying to figure out why i can't manage the DMZ server from my internal network. Any suggestions?
09-02-2009 05:22 AM
How are you trying to manage it (RDP, SSH)? Do you have an inside ACL in place? I sit allowing the traffic? Can you see the DMZ server from the ASA?
09-02-2009 11:03 AM
Well, let me explain a little further. i actually failed to add the new DMZ vlan on the bladecenter switch so now i can get to it. This DMZ server is a VM on an ibm bladecenter. It is sitting on its own vlan which gets trunked back to the ASA on a seperate interface. Now our server admin can't join it to our domain. I have the DMZ ACL to the Outside interface disabled and have the DMZ interface allowing ip any to the inside interface. what is a best practice for managing a DMZ server? Configuring rules to allow RDP, DNS, HTTP, etc?
09-02-2009 11:07 AM
IMO a DMZ server should not be part of the domain so only the necessary ports should be open. If security is important use IPSec or RPC over HTTPS. Since you're going from a higher security interface to a lower one, you'll need to NAT. Do you have that in place? What does the logs say when the server guys try and add it to the domain?
09-02-2009 11:21 AM
The only NAT rule i have in place is the internal IP of the server mapped to the public IP.
09-02-2009 11:25 AM
You will need one from DMZ to inside and DMZ to outside (if you want internet access).
09-02-2009 11:30 AM
could you provide a CLI example of the dmz to inside? Thanks for your time!
09-02-2009 11:59 AM
Sure-
There a couple of ways to do it. Let's assume the inside subnet is 192.168.5.0 /24.
Translate all IPs
==================
static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0
Translate a single IP
======================
static (inside,dmz) 192.168.5.10 192.168.5.10 255.255.255.255
You could also do NAT exempt.
09-02-2009 12:24 PM
From reading the documentation for 8.2, i saw the same sort of rule. we use an entire 10.0.0.0 /8 scope. when i add static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 the asa accepts it but the ASDM won't allow it. The NAT rule ended up displaying in the ASDM after i added it though. I was able to ping the DMZ IP before i added this NAT so is it necessary?
09-02-2009 12:29 PM
NAT is not required when going from a higher security interface to a lower (such as your ping). When you go from a lower one to a higher one you have to NAT. The NAT statement you put in only effects traffic sourcing from the DMZ destined to the inside. I don't use ASDM so I can't help too much on what you saw.
09-02-2009 01:02 PM
Ok, so the (inside,dmz) was backwards.
I changed it to static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 and we still can't contact the domain controller.
09-02-2009 01:07 PM
Now it's backwards, it should be-
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
It's a bit confusing but what we are doing is telling the ASA that when the DMZ server wants to talk to a server on the 10 network, translate it to the same 10 network IP.
Check your log when you try and add the server to the domain and post what you see.
09-02-2009 01:10 PM
Michael
"Ok, so the (inside,dmz) was backwards."
No it wasn't. What Collin was explaining was that if you wanted to ping the DMZ from inside you do not need a NAT statement.
If however you wanted to initiate any connection from the DMZ to the inside then you will need
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
although personally i wouldn't use a static that big ie. the whole 10.0.0.0/8 internal network.
As for the domain controller thing i agree totally with Collin in that you shouldn't run a machine in the DMZ that is part of your internal domain - Windows networking is just not secure enough and you end up opening no end of ports.
Does it really need to be a member of the internal domain or is it just so you can remotely manage it ?
If you absolutely must do this then if you need to find out the ports
1) add the NAT rule as above
2) add an acl to the dmz interface
access-list DMZIN permit ip host
then you should at least be able to see by checking the logging what ports are being used.
Jon
09-03-2009 09:38 AM
Thanks guys, i think i have found the solution. I got it working and added a couple acls for the dmz server to communicate with the inside network. We're also going to be configuring something called vShield in VMWare 4.0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide