01-26-2012 10:16 AM - edited 03-04-2019 03:02 PM
Hi all.
I have a old server that has custom apps developed by a bankrupt company that we can't replace yet. We are being tasked with upgrading the Operating System and security patches, while preserving the existing live server. I was able to accomplish this by virtualizing it, then cloning the virtual machine. Where I got stuck was, the custom app requires a specific host name. So, I got the idea to have the two servers live on different sides of the firewall until the test platform is accepted and the old live one can be retired.
My problem is that I have no experience with configuring a real firewall like this asa5510.
Servers are:
CM1 live server
CM2 test platform
ADS Active Directory and File and Print
My thought is to setup:
*LAN-WAN (NAT) - Allow
*LAN-DMZ ( NO NAT) - Allow only http to CM2 (accessing by IP rather than host due to duplicate names)
DMZ-LAN (No NAT) - Allow CM2 to use ADS printing services
DMZ-WAN (No NAT) - Block
*WAN-LAN (NAT) - Allow ICA to CM1
WAN-DMZ (NAT) - Allow https to CM2
~~~
* is already set up.
Does this make sense? I've started to carefully poke around in the Cisco ASDM-IDM, but haven't figured out how to access the DMZ from the outside (so far just testing with http as I don't have my certificate to setup https just yet). Am I missing something to get through to the DMZ from the WAN side?
Sorry for being such a noob, and thanks for any advice!
01-26-2012 12:15 PM
Can you post your configuration and remove any sensitive info (public IP's, usernames etc..)?
02-02-2012 04:08 PM
Thank you for your reply... it actually turned out that the DMZ and external facing T1 side had the same security level.
same-security-traffic permit inter-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide