Solved: Hi Roland , When you have

Rowlands Price · ‎07-14-2015

Dear Support

I have many question regarding traffic flow passing firewall

I have Cisco ASA 5520 firewall with 3 interfaces used. Internet, Lan and DMZ

My concern is about traffic passing according to this scenario

1 LAN to Internet

2 LAN to DMZ

3 Dmz to Internet

4 Internet to LAN

5 Dmz to LAN

Can you please tell permit or denied from one zone to another?

The second concer is that i have one application running http installed in local network, it's critical application for business and i want to allow acces to that application from Internet (users will have login/password to access), it's normal to allow from internet to internal lan using nat with no risk?

Attached is the firewall diagram

Many thanks in advance

rvarelac · ‎07-14-2015

Hi Roland ,

The ASA use the security level to allow the communication between interfaces, an interface with a higher security level can communicate with an interface with a lower security level, but not backwards.

For example if we assign the following security level to your interfaces:

Internet = Security level 0

DMZ = Security level 50

Inside = Security Level 100

The communication will be allow as follows:

1 LAN to Internet = Allow

2 LAN to DMZ = Allow

3 Dmz to Internet = Allow

4 Internet to LAN = Deny

5 Dmz to LAN = Deny.

Regarding the http application , you can create a port-forwarding to be accessed from internet. If the port forwarding is properly configured only the port 80 should be allowed. You should keep the application up to date and patched to avoid any security issue.

As an alternative solution you can use a VPN client (Anyconnect) to access your internal application.

Hope it helps.

- Randy-

View solution in original post

rvarelac · ‎07-14-2015

Hi Roland ,

The ASA use the security level to allow the communication between interfaces, an interface with a higher security level can communicate with an interface with a lower security level, but not backwards.

For example if we assign the following security level to your interfaces:

Internet = Security level 0

DMZ = Security level 50

Inside = Security Level 100

The communication will be allow as follows:

1 LAN to Internet = Allow

2 LAN to DMZ = Allow

3 Dmz to Internet = Allow

4 Internet to LAN = Deny

5 Dmz to LAN = Deny.

Regarding the http application , you can create a port-forwarding to be accessed from internet. If the port forwarding is properly configured only the port 80 should be allowed. You should keep the application up to date and patched to avoid any security issue.

As an alternative solution you can use a VPN client (Anyconnect) to access your internal application.

Hope it helps.

- Randy-

Rowlands Price · ‎07-14-2015

Thanks Randy for your response.

It's recommended to use ACL to allow traffic from internet to LAN using NAT?

My case

one application with data base in local network with private ip

I want to allow access to this data base from Internet (like bank account consulting).

I used on public ip and natted this public ip to application private ip (application in located in lan)

finally, i make a acl from any to public ip which is natted to internal ip, or with this, we have traffic from Internet to Internal, is this correct or there is a security risk?

Regards

rvarelac · ‎07-14-2015

Roland ,

Keep in mind with that configuration this data base is not only public to your co-workers , is public to everybody literally.

If this application is related to bank or sensitive information , I strongly recommend you to send that traffic encrypted over a VPN.

However if that is not a possibility , you can enforce the security on your internal network , you can add to your ASA an IPS module to monitor the traffic to this applications.

As best practice you can run an Nmap scan against your ASA once it has been configured to make sure the application is only open on the ports is supposed to be.

Cheers,

-Randy-

Rowlands Price · ‎07-15-2015

Dear Randy

The application is sensitive and many users from internet will connect to it, so it's not possible to use vpn.

My question is general, when you have sensitive application with data base and need users from internet to connect, put and down files, exactly like online account, what is the best solution for securing the application and database?

I cannot move the application to DMZ, it's enterprise main application.

For now there is an acl, any to public ip and that public ip is natted to the application on the LAN.

Is this secure to nat traffic from Internet to lan directly?

Thanks

rvarelac · ‎07-15-2015

Hi Roland ,

When you have this ACL on your ASA , basically this behaves like a proxy forwarding information between the application an the internet users.

This means the normal firewall rules does not apply for this connection , with this configuration from the security perspective, the security perimeter needs to be out of the scope of the ASA.

For example if the users needs to login on the application prior to have access, make sure the AAA server is secure and the application itself is running an up-to-date software.

Cheers,

Security Traffic flow in Firewall