Add logical DMZ to existing firewall for outside vendors

Unanswered Question
Oct 22nd, 2008

I have an ASA 5510 running 7.24 that has logical interfaces configured.

We will be allowing some outside vendors using our Internet link, they will be bringing their own laptops.

I was thinking of adding a DMZ and just connecting their laptops to the DMZ switch, in the new DMZ and then out the firewall to the Internet.

The only objective is to allow Internet access to these people, with no connection to our network.

I have a couple of questions:

1. can I add the logical DMZ without interruption of existing logical DMZs?

2. Would it look something like this:

global (outside) 1 interface

nat (DMZ1) 1 0.0.0.0 0.0.0.0

access-list dmz1 extended permit tcp any any eq www

access-list dmz1 extended permit tcp any any eq https

access-list dmz1 extended permit tcp any any eq ftp

access-list dmz1 extended permit udp any any eq domain

access-group dmz1 in interface DMZ1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
ajagadee Wed, 10/22/2008 - 21:37

Hi,

Yes, the above configuration should work without interruption to the existing logical DMZ, provided there are no human errors :)

And, while the above configuration will work, I would try and be more specific in your NAT Commands and ACL. For example, if 10.1.1.0/24 is the subnet of the DMZ Users, then I would configure:

global (outside) 1 interface

nat (DMZ1) 1 10.1.1.0 255.255.255.0

access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq www

access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq https

access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq ftp

access-list dmz1 extended permit udp 10.1.1.0 255.255.255.0 any eq domain

access-group dmz1 in interface DMZ1

Regards,

Arul

*Pls rate if it helps*

wilson_1234_2 Thu, 10/23/2008 - 08:03

Thanks for the reply.

Can the ASA5510 act as a DHCP server and provide addresses to the clients in that DMZ?

risenshine4th Thu, 10/23/2008 - 08:18

Yes. Each interface can have its own DHCP server. You can limit the size of the pool.

Another option if you have people with wireless is to put a wireless unit out on the public side of the firewall. This is great if you have more than one ISP address.

wilson_1234_2 Thu, 10/23/2008 - 15:57

Suppose my asa public IP interface is

1.1.1.1

By doing this:

global (outside) 1 interface

nat (DMZ1) 1 10.1.1.0 255.255.255.0

will NAT all source traffic to:

1.1.1.1

so,

If I have another address in my public ip subnet that is not being used:

1.1.1.23

could I nat all the new DMZ traffic to the unused address by doing this:

global (outside) 1 1.1.1.23

nat (DMZ1) 1 10.1.1.0 255.255.255.0

And would it be a good idea to NAT this untrusted traffic to a diiferent address, or does it not really matter all that much?

ajagadee Thu, 10/23/2008 - 18:21

Hi,

If you have a routable IP Address to spare, then I would go with Option 2. The reason being, if you configure PAT, there are only 65535 ports available, out of which the ASA picks a port above port number 1024 to do the PATTing. So, in your case if you do option 1, then both your inside and DMZ Users will be sharing the ports.

Also, like you mentioned, its easy to track the utilization, xlate, connections, etc if you have a separate IP Address. Please refer the below URL that has information on PAT.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042445

Regards,

Arul

*Pls rate if it helps*

wilson_1234_2 Thu, 10/23/2008 - 19:55

Something I noticed looking at the config.

I have a failover pair and the existing subinterfaces are showing a standby address, but the one I created is not:

!

interface Ethernet0/2

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/2.6

vlan 6

nameif DMZ1

security-level 30

ip address 1.1.2.1 255.255.255.0 standby 1.1.2.2

interface Ethernet0/2.7

vlan 99

nameif New_DMZ

security-level 2

ip address 1.1.3.1 255.255.255.0

Currently the ASA is on the failover unit and the primary is in standby mode.

Do I need to do anything to have the "standby" designation on the interface?

ajagadee Thu, 10/23/2008 - 20:13

Hi,

Yes, you need to configure the IP Address under E0/2.7 along with the standby address.

Example:

nterface Ethernet0/2.7

vlan 99

nameif New_DMZ

security-level 2

ip address 1.1.3.1 255.255.255.0 standby 1.1.3.2

Also, refer the below post from NETPRO on the use of standby address in Failover and also the best practice. Excellent information from the two posters.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1e320/1#selected_message

Regards,

Arul

*Pls rate if it helps*

Actions

This Discussion