cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1250
Views
0
Helpful
6
Replies

DMZ Sandwich setup?

louis0001
Level 3
Level 3

Hi,

I've been asked to setup a DMZ sandwich setup. I understand that this is seen as possibly overkill or an old way to do things but unfortunately I don't have much choice.
I'm familiar with setting up a normal DMZ but am trying to figure out how to go about it in this setup, specifically how to setup the inside ip of the server and how that would relate to the ip of the inside DMZ and the inside network. Would we have to use nat again or could we give the server inside ip an address in the same range as the inside network (DMZ IN would have an address in this range as well) and then just use firewall rules to allow access from the inside to the inside address of the server?

ASA OUTSIDE (block of 8 public ip's)
|
DMZ OUT (172.31.254.1/24)
|
SERVER OUTSIDE IP (172.31.254.100/24) static nat from one of the public ip's to https
SERVER INSIDE IP (?? what IP to set here?)
|
DMZ IN (?? what IP to set here?)
|
INSIDE (10.0.0.1/24)

6 Replies 6

Syed Taukir
Level 1
Level 1

Can you share output of

show ip, show version

Questions:

do you want to go from

inside to outside and vice versa

DMZ to outside and vice versa

inside to dmz and vice versa

Also is there a server and if yes on which interface ?

Do you want traffic from outside to access the server ?

Hi,

yes all of the above. We already have a DMZ setup with our forward facing servers generally having one interface that we can reach from the inside to the DMZ and the servers can be reached from the internet using static nat.

However, this new server introduces a 2nd interface eg it has an outside interface (we put this into our DMZ as normal) and all outside connections are statically natted to it. This works as normal.
It does however, have a 2nd interface which serves as the inside interface on the server and we've been told to connect this to another DMZ interface rather than connect it directly into the network.
This makes sense if you think about it as connecting it directly to the inside lan without any firewalling is sort of bypassing the DMZ.
So basically, the inside interface of the server requires an ip address which we can set ourselves and then this will connect to another sub interface on the ASA which can access the lan.
It's a double DMZ eg LAN > DMZ IN INTERFACE > SERVER INSIDE IP > SERVER OUTSIDE IP > DMZ OUT INTERFACE > OUTSIDE and vice versa for traffic coming from outside to the server.

Hi Louis, 

I'm still not very clear. Can you send the old topology of what you previously had with the config? Also please send the new topology as it's very confusing on where the ASA fits in ?

You can draw topologies using the below link.

http://www.asciiflow.com/#Draw

ok, here goes....

E0 = OUTSIDE 123.123.123.123/29  security level 0
E2.100 = DMZ OUTSIDE 172.31.254.1/24 (vlan 100) security level 50
Server Outside IP = 172.31.254.10/24 (vlan 100)
Server Inside IP = 10.0.0.100/24 (vlan 200)
E2.200 = DMZ INSIDE 10.0.0.1/24 (vlan 200) security level 60
E1 = INSIDE 10.0.0.2/24 security level 100

The above from the top is the flow of traffic from outside. Traffic would be resolved to public ip and then statically natted to the servers outside interface (as you would with normal DMZ)
The server processes the traffic and forwards it out of the servers inside ip which now has to connect to another sub interface which only allows specific traffic to the lan.
I'm not sure if the server inside ip can be the same on the same subnet as the INSIDE but connected to another interface E2.200 with a lower security level than the INSIDE

If you had two physical ASA's, then the server inside IP would then connect to the OUTSIDE of the second ASA like so:

ASA1 OUTSIDE (internet) > ASA1 DMZ > SERVER INT 1 > SERVER INT 2 > ASA2 OUTSIDE > ASA2 INSIDE (corp network)

However, we only have the one ASA, so the connection will look like:

ASA1 OUTSIDE (internet) > ASA1 DMZ INT 1 > SERVER INT 1 > SERVER INT 2 > ASA1 DMZ INT 2 > ASA1 INSIDE (corp network)

If you are using a different interface you need a different IP subnet.

So simply create a DMZ for the servers inside IP subnet.

Jon

You just use a another subnet for the inside server DMZ, no need for public IP addressing.

Your front end firewall(s) control access to the public IP and your backend firewall(s) control access to the private IP.

Jon

Review Cisco Networking for a $25 gift card