Catalyst 4506 simple DMZ

insccisco · ‎03-11-2008

Hey guys, I need some help with DMZs. Here's the setup:

LAN = 10.10.30.0/24

DMZ = 10.60.60.0/24

One server at DMZ, 10.60.60.10, needs access to 10.10.30.220 on port 443. This is the only access needed from pc at DMZ to pc in the LAN. Everything will obviously need to be locked down.

This DMZ pc also needs to accept traffic on port 80 and 443 from the internet.

How would you VLAN this and specially, the access-lists?

thank you

Jason Fraioli · ‎03-11-2008

Edit: You are most likely going to want to permit udp 53 out/in for DNS lookups.

access-list 101 permit ip host 10.10.30.220 host 10.60.60.10 eq 443

access-list 101 permit ip host 10.60.60.10 eq 80

access-list 101 permit ip host 10.60.60.10 eq 443

vlan access-map dmz_http

match ip address 101

action forward

vlan filter dmz_http vlan-list

insccisco · ‎03-11-2008

So with this config, anything else will be denied? Meaning if I try to access anything on the LAN from the DMZ will be denied?

Also, the LAN should have total access to the DMZ, but the DMZ should be blocked from accessing anything in the LAN except the 10.10.10.30 server at the specified port.

How will this look?

Jason Fraioli · ‎03-11-2008

ok then for your lan to dmz full access you'll have;

access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255

you can use the other access list I posted above for your dmz to .30 server access list

EDIT: Sorry I re-read your post and realized I had you misunderstood. Based on what you have told us, your access list should resemble the following;

access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255

access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443

access-list 101 permit ip host host 10.60.60.10 eq 80

access-list 101 permit ip host host 10.60.60.10 eq 443

That will permit your entire LAN subnet to access the DMZ subnet, but only allow your DMZ to connect to the server in the lan (30.220 eq 443).

insccisco · ‎03-11-2008

this looks good. Im going to apply it in a Catalyst 4506.

will this be enough for the requirements of putting an Access Gateway server in the DMZ?

The only thing this box will be doing is receive requests from internet users in port 443 and 80, authenticate them, and if success, then allow the connection to the inside server.

Assuming this DMZ server gets hacked, because it sits in the DMZ and access is completely blocked to internal LAN (except on port 443), will it be safe? In other, will this meet the requirements or properly placing this box in the DMZ?

sorry for the simple questions, but I'm learning

lamav · ‎03-11-2008

jason:

I think you may have committed a typo.

In the access list

access-list 101 permit ip 10.60.30.0 0.0.0.255 10.10.60.0 0.0.0.255

access-list 101 permit ip host 10.10.60.10 host 10.60.30.220 eq 443

access-list 101 permit ip host host 10.60.60.10 eq 80

access-list 101 permit ip host host 10.60.60.10 eq 443

...didn't you mean to write

access-list 101 permit ip 10.10.30.0 0.0.0.255 10.60.60.0 0.0.0.255

for the first statement?

...and...

access-list 101 permit ip host 10.60.60.10 host 10.10.30.220 eq 443

for the second statement?

Just wanna make sure...

Victor

insccisco · ‎03-11-2008

mmm I see... great catch. So what will be the real final config?

lamav · ‎03-11-2008

Hi:

His config is correct, but he just got dyslexic for a moment. :-) Happens to all of us...

Just replace the first 2 statements of his access list with the 2 corrected statements I posted.

But if you like, wait for him to log back on and answer your question.

Hope I've helped you...

If so, please rate my posts

Thanks

Victor

insccisco · ‎03-12-2008

great thank you

Jason Fraioli · ‎03-12-2008

Victor is correct. Sorry for the typo!