Creating a DMZ on ASA

Unanswered Question
Aug 1st, 2008

We have an existing an ASA that we want to configure a DMZ. A secure FTP server with public IP will be connected to the DMZ.

Is the configuration as simple as,

1. Configure the new interface with security level,

2. enable routing statement,

3. enable access list to allow traffic to the FTP server.

Employees on the LAN and others would access the FTP through the Internet. NAT is presently done by the outside int. of ASA.

Would configuring the DMZ effect production/network connectivity?

Thanks.

Said

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Fri, 08/01/2008 - 14:01

Said,

I do not see a reason of network interuption by configuring new interface for your DMZ network, however, it is of good practice to making major FW changes during non-production hours.

You may want to reference these two links which resambles your scenarion and requirements.

FTP - ASA firewalls

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

DMZ config scenarion

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html

HTH

Jorge

JORGE RODRIGUEZ Sat, 08/02/2008 - 06:29

Said, you are welcome.

I also want to provide additional information regarding the creation of another interface. I should have added in previous post, that, in the scenario where you have a physical and wanted to split the interface using 802.1q into several logical interfaces say one logical be your new DMZ network,and that interface is for example your inside interface or any other interface in production, you may have network disruption during the creation of trunking and other required initial configuration.

Now,if you have free physical interface not bound to any configuration other than be dedicated for DMZ network there should not be network disruption in relation to other active interfaces.

HTH

Jorge

Actions

This Discussion