Catalyst 4506 simple DMZ

Unanswered Question
Mar 11th, 2008
User Badges:

Hey guys, I need some help with DMZs. Here's the setup:


LAN = 10.10.30.0/24

DMZ = 10.60.60.0/24


One server at DMZ, 10.60.60.10, needs access to 10.10.30.220 on port 443. This is the only access needed from pc at DMZ to pc in the LAN. Everything will obviously need to be locked down.


This DMZ pc also needs to accept traffic on port 80 and 443 from the internet.


How would you VLAN this and specially, the access-lists?


thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Jason Fraioli Tue, 03/11/2008 - 17:12
User Badges:

Edit: You are most likely going to want to permit udp 53 out/in for DNS lookups.


access-list 101 permit ip host 10.10.30.220 host 10.60.60.10 eq 443

access-list 101 permit ip host 10.60.60.10 eq 80

access-list 101 permit ip host 10.60.60.10 eq 443


vlan access-map dmz_http

match ip address 101

action forward


vlan filter dmz_http vlan-list

insccisco Tue, 03/11/2008 - 17:54
User Badges:

So with this config, anything else will be denied? Meaning if I try to access anything on the LAN from the DMZ will be denied?


Also, the LAN should have total access to the DMZ, but the DMZ should be blocked from accessing anything in the LAN except the 10.10.10.30 server at the specified port.


How will this look?

Jason Fraioli Tue, 03/11/2008 - 18:01
User Badges:

ok then for your lan to dmz full access you'll have;

access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255


you can use the other access list I posted above for your dmz to .30 server access list


EDIT: Sorry I re-read your post and realized I had you misunderstood. Based on what you have told us, your access list should resemble the following;


access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255

access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443

access-list 101 permit ip host host 10.60.60.10 eq 80

access-list 101 permit ip host host 10.60.60.10 eq 443


That will permit your entire LAN subnet to access the DMZ subnet, but only allow your DMZ to connect to the server in the lan (30.220 eq 443).

insccisco Tue, 03/11/2008 - 19:00
User Badges:

this looks good. Im going to apply it in a Catalyst 4506.


will this be enough for the requirements of putting an Access Gateway server in the DMZ?


The only thing this box will be doing is receive requests from internet users in port 443 and 80, authenticate them, and if success, then allow the connection to the inside server.


Assuming this DMZ server gets hacked, because it sits in the DMZ and access is completely blocked to internal LAN (except on port 443), will it be safe? In other, will this meet the requirements or properly placing this box in the DMZ?


sorry for the simple questions, but I'm learning

lamav Tue, 03/11/2008 - 20:10
User Badges:
  • Blue, 1500 points or more

jason:


I think you may have committed a typo.


In the access list


access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255

access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443

access-list 101 permit ip host host 10.60.60.10 eq 80

access-list 101 permit ip host host 10.60.60.10 eq 443



...didn't you mean to write


access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255


for the first statement?


...and...


access-list 101 permit ip host 10.60.60.10 host 10.10.30.220 eq 443


for the second statement?


Just wanna make sure...


Victor

insccisco Tue, 03/11/2008 - 21:14
User Badges:

mmm I see... great catch. So what will be the real final config?

lamav Tue, 03/11/2008 - 21:25
User Badges:
  • Blue, 1500 points or more

Hi:


His config is correct, but he just got dyslexic for a moment. :-) Happens to all of us...


Just replace the first 2 statements of his access list with the 2 corrected statements I posted.

But if you like, wait for him to log back on and answer your question.


Hope I've helped you...


If so, please rate my posts


Thanks


Victor




Actions

This Discussion