DMZ vs Public Sever option in 8.2

Unanswered Question
May 22nd, 2009

Could someone explain the real differences between these two options on the ASA 8.2 release? I know a DMZ is assigned a different security level and the device has a real public IP assigned to it where the Public Server option is a server with a internal IP with one to one NAT. Which is more secure? Are they the same thing now?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 05/22/2009 - 05:36

Typically now a days, even DMZ hosts get a private IP. The firewall will NAT a public IP to either the DMZ host or an internal host. Which is more secure? IMO the DMZ is more secure. If for some reason the DMZ host gets compromised, the hacker would also have to break through from the DMZ to the internal network. You can completely block that access, so they could not access the internal network. If the NAT goes directly to the inside and a hacker compromises the system, they are already on the inside.

Hope that helps.

cowetacoit Fri, 05/22/2009 - 07:15

i see your point. So what is the best way to set up a DMZ? Configure an INSIDE, OUTSIDE, and DMZ seperate physical interfaces? Or use subinterfaces on the INTERNAL interface?

Collin Clark Fri, 05/22/2009 - 07:34

Whether to use 3 physical or to trunk depends on thoughput, number of interfaces, licensing, etc. When I have multiple DMZ's, I'll trunk all of the DMZ VLANs. If I have multiple insides, same thing. I prefer not to trunk inside and DMZ VLAN's on a single trunk.

cowetacoit Fri, 05/22/2009 - 07:42

That makes sense keeping them seperate. i guess my problem has been i couldn't figure out how to create the actual DMZ vlans. i have a 4 gig ports and two of them are active interfaces for INSIDE and OUTSIDE. If i was to create a third physical interface, for DMZ, would I create subinterfaces for the individual DMZ vlans? I have a vlan on my layer 3 switch that is just for the connection between my ASA and the layer 3 switch. The layer 3 switch does my intervlan routing.

Collin Clark Fri, 05/22/2009 - 07:46

Create a VLAN for each DMZ. The VLAN on your L3 switch should NOT have an SVI! Here's an example of the ASA with a trunked interface. Your switch would be configured as a normal 802.1Q trunk.

<b><font size="2"></p><p>interface Ethernet0/3</p><p> no nameif</p><p> no security-level</p><p> no ip address</p><p>!</p><p>interface Ethernet0/3.999</p><p> nameif dmz</p><p> security-level 50</p><p> ip address </p><p>!</p><p>interface Ethernet0/3.998</p><p> nameif dmz192</p><p> security-level 50</p><p> ip address </p><p>!</font></b>
cowetacoit Fri, 05/22/2009 - 07:56

Well i have two 4506s running GLBP and EIGRP, which i have a SVI on them just for the connection to the dual ASAs. So the ASA only has INSIDE on one physical interface. I don't understand why i'm not supposed to have an SVI on my 4506. Do you mean just the DMZ or both DMZ and INSIDE. Thanks for all of your help. I guess i'm just trying to understand the concept more than anything.

Collin Clark Fri, 05/22/2009 - 07:59

Just the DMZ. Sorry if I didn't make that clear. If you have an SVI on the switch, there's a hook into your internal network without going through ASA.

cowetacoit Fri, 05/22/2009 - 09:13

Thanks Collin, i believe i'll try this next maintenance window. But here is a twist. What if the servers are on a bladeserver running VM ware? Any experience with a DMZ host on a VM? Right now we just have that Public Server option. prior to the 8.2 release we just used static nat with acls.

BrinksArgentina Fri, 05/22/2009 - 07:43

I use 3 phisicals trunks dot1q.

1) Publics subinterfaces

2) SemiPublics subinterfaces

3) Local subinterfaces

But, if the hacked server found the way to pass traffic to other VLANs, you are lost. The best way to avoid this is to NOT permit admin connections to your switchs or firewalls from servers on the DMZ.

This show the config for a direct connected outside on Gi0/0 and a trunk for 3 inside VLANs on Gi1/1.

The ASA route the packets between its interfaces.

If you dont want to inspect traffic from servers to hosts, don't creat that interfaces in the ASA, just keep you L3-ASA VLAN to provide DMZ and ouside access to your hosts

</p><p>interface GigabitEthernet0/0</p><p> speed 100</p><p> duplex full</p><p> nameif outside</p><p> security-level 0</p><p> ip address</p><p>!</p><p>interface GigabitEthernet0/1</p><p> description Solo trunk</p><p> nameif deshab</p><p> security-level 0</p><p> no ip address</p><p>!</p><p>interface GigabitEthernet0/1.12</p><p> description ServidoresAdm</p><p> vlan 12</p><p> nameif srvadm</p><p> security-level 50</p><p> ip address</p><p>!</p><p>interface GigabitEthernet0/1.20</p><p> vlan 20</p><p> nameif inside</p><p> security-level 100</p><p> ip address</p><p>!</p><p>interface GigabitEthernet0/1.30</p><p> vlan 30</p><p> nameif segurtec</p><p> security-level 20</p><p> ip address</p><p>!</p><p>


Please rate if that was usefull to you


This Discussion