02-04-2013 04:04 PM - edited 03-11-2019 05:56 PM
Hi,
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network
The interface 6 is for the DMZ
All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/
I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/
For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall, or is there any better solution?
Thank you for your time and help.
Solved! Go to Solution.
02-04-2013 04:17 PM
Hi,
You would be better of configuring the public IP address on the "outside" interface of the ASA5505
By default you will have some Vlan interface which has all the IP address configurations under it. That Vlan is then attached to some interface. In your case it seems to be Ethernet0 Port.
With the public IP address configured on the "outside" interface you could then use port forward to forward the Web service to the DMZ server
Heres an example configuration
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip add 1.1.1.1 255.255.255.252
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
interface Vlan10
no forward interface Vlan1
description DMZ
nameif dmz
security-level 50
ip add 192.168.10.1 255.255.255.0
object network WEB-SERVER
host 192.168.10.10
nat (dmz,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80
access-group OUTSIDE-IN in interface outside
The above configuration is meant to illustrate
02-05-2013 08:10 AM
When you register a domain, by default, the DNS A records will be hosted at whichever registrar you used. You will need to modify the DNS A records to point to your public IP given by your ISP if you are attempting to use it for services behind your firewall. I.E.: www.mydomain.com, webmail.mydomain.com, etc.
02-04-2013 04:17 PM
Hi,
You would be better of configuring the public IP address on the "outside" interface of the ASA5505
By default you will have some Vlan interface which has all the IP address configurations under it. That Vlan is then attached to some interface. In your case it seems to be Ethernet0 Port.
With the public IP address configured on the "outside" interface you could then use port forward to forward the Web service to the DMZ server
Heres an example configuration
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip add 1.1.1.1 255.255.255.252
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
interface Vlan10
no forward interface Vlan1
description DMZ
nameif dmz
security-level 50
ip add 192.168.10.1 255.255.255.0
object network WEB-SERVER
host 192.168.10.10
nat (dmz,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80
access-group OUTSIDE-IN in interface outside
The above configuration is meant to illustrate
02-04-2013 04:42 PM
Hi,
Thank you for your detailed answer. It seems to me clear so far and I will try to implement it.
When I registered my domain "Mydomain.com" I get the IP address for this domain (it is different from the adddress I get from ISP). Do I need to assign this address to my firewall also? Or, is the domain IP address used by DNS servers only?
Thank you.
02-05-2013 08:10 AM
When you register a domain, by default, the DNS A records will be hosted at whichever registrar you used. You will need to modify the DNS A records to point to your public IP given by your ISP if you are attempting to use it for services behind your firewall. I.E.: www.mydomain.com, webmail.mydomain.com, etc.
02-05-2013 09:16 AM
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide