Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5221
Views
0
Helpful
4
Replies

Public static IP address and DMZ

Go to solution
itlklubos6
Level 1
Level 1

‎02-04-2013 04:04 PM - edited ‎03-11-2019 05:56 PM

Hi,

I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.

The interface 0 is for the outside network

The interface 6 is for the DMZ

All other interfaces are for the inside network

My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252

1/

I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?

I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.

2/

For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall, or is there any better solution?

Thank you for your time and help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-04-2013 04:17 PM

Hi,

You would be better of configuring the public IP address on the "outside" interface of the ASA5505

By default you will have some Vlan interface which has all the IP address configurations under it. That Vlan is then attached to some interface. In your case it seems to be Ethernet0 Port.

With the public IP address configured on the "outside" interface you could then use port forward to forward the Web service to the DMZ server

Heres an example configuration

interface Vlan2

description OUTSIDE

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.252

interface Vlan1

description INSIDE

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Vlan10

no forward interface Vlan1

description DMZ

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0

object network WEB-SERVER

host 192.168.10.10

nat (dmz,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80

access-group OUTSIDE-IN in interface outside

The above configuration is meant to illustrate

  • "outside" , "inside" and "dmz" interface
  • The "dmz" interface is configured with the "no forward interface Vlan1" configuration as that is the only way to active a third Vlan interface on an ASA5505 with only Base License. This will prevent "dmz" host from opening a connection to "inside". Notice though that "inside" host can still open connection towards the "dmz"
  • Static PAT or Port Forward configuration between "outside" and "dmz" which provides the DMZ server 192.168.10.10 visibility to Internet using the "outside" interface public IP address. The only service forwarded to the "dmz" server is TCP/80/www
  • OUTSIDE-IN in the access-list attached to the "outside" interface to allow Web traffic from any source address to the DMZ server.

View solution in original post

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to itlklubos6

‎02-05-2013 08:10 AM

When you register a domain, by default, the DNS A records will be hosted at whichever registrar you used.  You will need to modify the DNS A records to point to your public IP given by your ISP if you are attempting to use it for services behind your firewall.  I.E.:  www.mydomain.com, webmail.mydomain.com, etc.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-04-2013 04:17 PM

Hi,

You would be better of configuring the public IP address on the "outside" interface of the ASA5505

By default you will have some Vlan interface which has all the IP address configurations under it. That Vlan is then attached to some interface. In your case it seems to be Ethernet0 Port.

With the public IP address configured on the "outside" interface you could then use port forward to forward the Web service to the DMZ server

Heres an example configuration

interface Vlan2

description OUTSIDE

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.252

interface Vlan1

description INSIDE

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Vlan10

no forward interface Vlan1

description DMZ

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0

object network WEB-SERVER

host 192.168.10.10

nat (dmz,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80

access-group OUTSIDE-IN in interface outside

The above configuration is meant to illustrate

  • "outside" , "inside" and "dmz" interface
  • The "dmz" interface is configured with the "no forward interface Vlan1" configuration as that is the only way to active a third Vlan interface on an ASA5505 with only Base License. This will prevent "dmz" host from opening a connection to "inside". Notice though that "inside" host can still open connection towards the "dmz"
  • Static PAT or Port Forward configuration between "outside" and "dmz" which provides the DMZ server 192.168.10.10 visibility to Internet using the "outside" interface public IP address. The only service forwarded to the "dmz" server is TCP/80/www
  • OUTSIDE-IN in the access-list attached to the "outside" interface to allow Web traffic from any source address to the DMZ server.
0 Helpful

Go to solution
itlklubos6
Level 1
Level 1
In response to Jouni Forss

‎02-04-2013 04:42 PM

Hi,

Thank you for your detailed answer. It seems to me clear so far and I will try to implement it.

When I registered my domain "Mydomain.com" I get the IP address for this domain (it is different from the adddress I get from ISP). Do I need to assign this address to my firewall also? Or, is the domain IP address used by DNS servers only?

Thank you.

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to itlklubos6

‎02-05-2013 08:10 AM

When you register a domain, by default, the DNS A records will be hosted at whichever registrar you used.  You will need to modify the DNS A records to point to your public IP given by your ISP if you are attempting to use it for services behind your firewall.  I.E.:  www.mydomain.com, webmail.mydomain.com, etc.

0 Helpful

Go to solution
itlklubos6
Level 1
Level 1
In response to jj27

‎02-05-2013 09:16 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card