cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6391
Views
0
Helpful
5
Replies

Proper way to implement DMZ

dbuckley77
Level 1
Level 1

We currently have an ASA with internal, DMZ and outside interfaces/zones.

 

The DMZ hosts (web servers, ftp server etc etc) tie into the switching infrastructure on an unrouted VLAN. All DMZ hosts have public IPs only.  There are no internal IP addresses on them and no nat going on for them.

 

We are concerned that this is not the proper way to setup a DMZ.  Should we be assigning these hosts private internal IPs and natting them.  How would that look on the ASA?  Would there be two separate network objects, one for the internal IP and one for the external?  Would we use the network  object with the external IP for all rules in the DMZ?

 

Are there any other best practices to follow with creating a DMZ on the ASA?

 

Any input would be greatly appreciated.

 

Thanks

1 Accepted Solution

Accepted Solutions

Yes you would create a new private IP subnet and use NAT rules to translate those IPs to your public IPs.

I'm not sure what your exact question is, are you asking how to do NAT ?

As for the general discussion there are different viewpoints on that.

NAT was never designed to be a security tool and some people argue strongly that you should not rely on NAT for security. So whichever type of addressing you use the argument is that you control the traffic with acls and if you configure those acls correctly then it should make no difference as to which type of addressing you use.

Other's argue that NAT can provide some level of security. Certainly for the standard NAT where you hide all your internal IPs behind a public IP for general internet access it could be argued that this does provide some security as connections cannot be made from the outside, only return traffic is allowed back in.

But for static NAT statements you are actually allowing outside connections. This is also why some people specify the ports in their static statements ie not just to preserve IPs but also because you will only be allowed to connect to that specific port.

If you don't specify the ports then in theory any port can be connected to although obviously this is where your acls come in.

For me your security comes primarily from your acls and any security benefit you gain from NAT (if any) is a plus but should not be relied on.

So in your case if you use private IPs and do a direct translation between a private IP and public IP it is pretty much the same as using public IPs directly ie. you are totally reliant on your acl configuration which is not a bad thing.

There may be other advantages or disadvantages but I can't think of any.

Perhaps others could comment.

It really is up to you as to which you do.

If you do choose to use private IPs make sure you have "permit arp-nonconnected" in your configuration (it may or may not be on by default).

Jon

View solution in original post

5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

The biggest advantage of using the private range would that you will be saving the Public IP range , protecting the Server's Real IP address.

It would look like something similar to the internal Servers natted to the Public range.

Yes , it would have ACL (Pre 8.2) as the network object in the ACL.

Thanks and Regards,

Vibhor Amrodia

I'm still confused.  We currently have all the DMZ hosts using public IPs with the gateway for them being a public IP on the DMZ interface.  If we wanted to change it so that the DMZ hosts had private IPs that were 1to1 statically natted to public IPs (we have a block big enough for all DMZ hosts)  what would be the best way to accomplish this on an ASA5510?

 

I am thinking that we would do the following

 

1.  create a new, unique private subnet for the DMZ hosts, use an IP from that subnet to assign to the DMZ interface as the DMZ gateway

 

2.  Do a 1to1 nat rule for each host to a unique public IP. 

3.  create address objects for each hosts internal and external IP

4.  Create ACLs in the DMZ and other zones that require access to the DMZ hosts using the external address objects.

 

Am I thinking about this right or would the DMZ hosts actually be part of the internal lan and natted from there?

 

I need clarification.

Your DMZ hosts should definitely not be part of your internal LAN in terms of being able to route to other vlans without going through the firewall.

Some people do reuse their internal switch eg a modular switch to connect the DMZ hosts to in their own dedicated vlan but the key thing is the L3 interface for that vlan has to be on the firewall so to get to and from that DMZ you would go via the firewall.

Others use a dedicated switch.

In terms of NAT yes you would setup NAT translations and any acls you need.

Whether you need to is really up to you. As Vibhor says using private IPs allows you to reuse some of your public IPs and this is why you see a lot of designs with private IPs on the servers.

But it sounds like that is not an issue for you ?

Jon

SO currently we have a /27 given to us by the ISP for use on our outside interface and another, separate /27 given to us from the ISP which we are using for the DMZ hosts.

The DMZ hosts are on their own VLAN which lives on the same switches as our internal LAN.  This VLAN is not being routed to any of the internal VLANS but we do have ACLs on the ASA to allow access from the outside and inside interfaces to certain DMZ hosts as well as ACLs allowing certain DMZ hosts access to certain internal resources.  As I stated the DMZ hosts currently have public IPs on them so all rules concerning them are using public IP address objects.

 

That is how it is currently setup.  Would it make sense to leave it like that and just continue making ACLs as needed using the DMZ public IPs or should we NAT the DMZ hosts.  If we did NAT them how exactly would that be done? 

Would we create a new private subnet and use IPs from it to assign to the DMZ hosts and then do 1 to 1 NAT rules to IPs from the /27 on our outside interface, while assigning an IP from the new private subnet to the DMZ interface on the ASA as the gateway for the DMZ network? When using private IPs on DMZ hosts exactly what do those private IPs get natted to on the outside?  I guess what I need to know if the finer points of how DMZ hosts are natted when you put private IPs on them when using an ASA.

 

Also any general discussion of why it would be better to use public vs nat or vice versa when conserving public IPs is not a concern would be most appreciated.

 

 

Yes you would create a new private IP subnet and use NAT rules to translate those IPs to your public IPs.

I'm not sure what your exact question is, are you asking how to do NAT ?

As for the general discussion there are different viewpoints on that.

NAT was never designed to be a security tool and some people argue strongly that you should not rely on NAT for security. So whichever type of addressing you use the argument is that you control the traffic with acls and if you configure those acls correctly then it should make no difference as to which type of addressing you use.

Other's argue that NAT can provide some level of security. Certainly for the standard NAT where you hide all your internal IPs behind a public IP for general internet access it could be argued that this does provide some security as connections cannot be made from the outside, only return traffic is allowed back in.

But for static NAT statements you are actually allowing outside connections. This is also why some people specify the ports in their static statements ie not just to preserve IPs but also because you will only be allowed to connect to that specific port.

If you don't specify the ports then in theory any port can be connected to although obviously this is where your acls come in.

For me your security comes primarily from your acls and any security benefit you gain from NAT (if any) is a plus but should not be relied on.

So in your case if you use private IPs and do a direct translation between a private IP and public IP it is pretty much the same as using public IPs directly ie. you are totally reliant on your acl configuration which is not a bad thing.

There may be other advantages or disadvantages but I can't think of any.

Perhaps others could comment.

It really is up to you as to which you do.

If you do choose to use private IPs make sure you have "permit arp-nonconnected" in your configuration (it may or may not be on by default).

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: