07-14-2015 11:40 AM - last edited on 03-25-2019 05:56 PM by ciscomoderator
Dear Support
I have many question regarding traffic flow passing firewall
I have Cisco ASA 5520 firewall with 3 interfaces used. Internet, Lan and DMZ
My concern is about traffic passing according to this scenario
1 LAN to Internet
2 LAN to DMZ
3 Dmz to Internet
4 Internet to LAN
5 Dmz to LAN
Can you please tell permit or denied from one zone to another?
The second concer is that i have one application running http installed in local network, it's critical application for business and i want to allow acces to that application from Internet (users will have login/password to access), it's normal to allow from internet to internal lan using nat with no risk?
Attached is the firewall diagram
Many thanks in advance
Solved! Go to Solution.
07-14-2015 03:51 PM
Hi Roland ,
The ASA use the security level to allow the communication between interfaces, an interface with a higher security level can communicate with an interface with a lower security level, but not backwards.
For example if we assign the following security level to your interfaces:
Internet = Security level 0
DMZ = Security level 50
Inside = Security Level 100
The communication will be allow as follows:
1 LAN to Internet = Allow
2 LAN to DMZ = Allow
3 Dmz to Internet = Allow
4 Internet to LAN = Deny
5 Dmz to LAN = Deny.
Regarding the http application , you can create a port-forwarding to be accessed from internet. If the port forwarding is properly configured only the port 80 should be allowed. You should keep the application up to date and patched to avoid any security issue.
As an alternative solution you can use a VPN client (Anyconnect) to access your internal application.
Hope it helps.
- Randy-
07-14-2015 03:51 PM
Hi Roland ,
The ASA use the security level to allow the communication between interfaces, an interface with a higher security level can communicate with an interface with a lower security level, but not backwards.
For example if we assign the following security level to your interfaces:
Internet = Security level 0
DMZ = Security level 50
Inside = Security Level 100
The communication will be allow as follows:
1 LAN to Internet = Allow
2 LAN to DMZ = Allow
3 Dmz to Internet = Allow
4 Internet to LAN = Deny
5 Dmz to LAN = Deny.
Regarding the http application , you can create a port-forwarding to be accessed from internet. If the port forwarding is properly configured only the port 80 should be allowed. You should keep the application up to date and patched to avoid any security issue.
As an alternative solution you can use a VPN client (Anyconnect) to access your internal application.
Hope it helps.
- Randy-
07-14-2015 04:52 PM
Thanks Randy for your response.
It's recommended to use ACL to allow traffic from internet to LAN using NAT?
My case
one application with data base in local network with private ip
I want to allow access to this data base from Internet (like bank account consulting).
I used on public ip and natted this public ip to application private ip (application in located in lan)
finally, i make a acl from any to public ip which is natted to internal ip, or with this, we have traffic from Internet to Internal, is this correct or there is a security risk?
Regards
07-14-2015 07:58 PM
Roland ,
Keep in mind with that configuration this data base is not only public to your co-workers , is public to everybody literally.
If this application is related to bank or sensitive information , I strongly recommend you to send that traffic encrypted over a VPN.
However if that is not a possibility , you can enforce the security on your internal network , you can add to your ASA an IPS module to monitor the traffic to this applications.
As best practice you can run an Nmap scan against your ASA once it has been configured to make sure the application is only open on the ports is supposed to be.
Cheers,
-Randy-
07-15-2015 12:11 AM
Dear Randy
The application is sensitive and many users from internet will connect to it, so it's not possible to use vpn.
My question is general, when you have sensitive application with data base and need users from internet to connect, put and down files, exactly like online account, what is the best solution for securing the application and database?
I cannot move the application to DMZ, it's enterprise main application.
For now there is an acl, any to public ip and that public ip is natted to the application on the LAN.
Is this secure to nat traffic from Internet to lan directly?
Thanks
07-15-2015 09:16 AM
Hi Roland ,
When you have this ACL on your ASA , basically this behaves like a proxy forwarding information between the application an the internet users.
This means the normal firewall rules does not apply for this connection , with this configuration from the security perspective, the security perimeter needs to be out of the scope of the ASA.
For example if the users needs to login on the application prior to have access, make sure the AAA server is secure and the application itself is running an up-to-date software.
Cheers,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide