05-22-2009 04:30 AM - edited 03-11-2019 08:35 AM
Could someone explain the real differences between these two options on the ASA 8.2 release? I know a DMZ is assigned a different security level and the device has a real public IP assigned to it where the Public Server option is a server with a internal IP with one to one NAT. Which is more secure? Are they the same thing now?
05-22-2009 05:36 AM
Typically now a days, even DMZ hosts get a private IP. The firewall will NAT a public IP to either the DMZ host or an internal host. Which is more secure? IMO the DMZ is more secure. If for some reason the DMZ host gets compromised, the hacker would also have to break through from the DMZ to the internal network. You can completely block that access, so they could not access the internal network. If the NAT goes directly to the inside and a hacker compromises the system, they are already on the inside.
Hope that helps.
05-22-2009 07:15 AM
i see your point. So what is the best way to set up a DMZ? Configure an INSIDE, OUTSIDE, and DMZ seperate physical interfaces? Or use subinterfaces on the INTERNAL interface?
05-22-2009 07:34 AM
Whether to use 3 physical or to trunk depends on thoughput, number of interfaces, licensing, etc. When I have multiple DMZ's, I'll trunk all of the DMZ VLANs. If I have multiple insides, same thing. I prefer not to trunk inside and DMZ VLAN's on a single trunk.
05-22-2009 07:42 AM
That makes sense keeping them seperate. i guess my problem has been i couldn't figure out how to create the actual DMZ vlans. i have a 4 gig ports and two of them are active interfaces for INSIDE and OUTSIDE. If i was to create a third physical interface, for DMZ, would I create subinterfaces for the individual DMZ vlans? I have a vlan on my layer 3 switch that is just for the connection between my ASA and the layer 3 switch. The layer 3 switch does my intervlan routing.
05-22-2009 07:46 AM
Create a VLAN for each DMZ. The VLAN on your L3 switch should NOT have an SVI! Here's an example of the ASA with a trunked interface. Your switch would be configured as a normal 802.1Q trunk.
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.999
nameif dmz
security-level 50
ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/3.998
nameif dmz192
security-level 50
ip address 192.168.100.1 255.255.255.0
!
05-22-2009 07:56 AM
Well i have two 4506s running GLBP and EIGRP, which i have a SVI on them just for the connection to the dual ASAs. So the ASA only has INSIDE on one physical interface. I don't understand why i'm not supposed to have an SVI on my 4506. Do you mean just the DMZ or both DMZ and INSIDE. Thanks for all of your help. I guess i'm just trying to understand the concept more than anything.
05-22-2009 07:59 AM
Just the DMZ. Sorry if I didn't make that clear. If you have an SVI on the switch, there's a hook into your internal network without going through ASA.
05-22-2009 09:13 AM
Thanks Collin, i believe i'll try this next maintenance window. But here is a twist. What if the servers are on a bladeserver running VM ware? Any experience with a DMZ host on a VM? Right now we just have that Public Server option. prior to the 8.2 release we just used static nat with acls.
05-22-2009 07:43 AM
I use 3 phisicals trunks dot1q.
1) Publics subinterfaces
2) SemiPublics subinterfaces
3) Local subinterfaces
But, if the hacked server found the way to pass traffic to other VLANs, you are lost. The best way to avoid this is to NOT permit admin connections to your switchs or firewalls from servers on the DMZ.
This show the config for a direct connected outside on Gi0/0 and a trunk for 3 inside VLANs on Gi1/1.
The ASA route the packets between its interfaces.
If you dont want to inspect traffic from servers to hosts, don't creat that interfaces in the ASA, just keep you L3-ASA VLAN to provide DMZ and ouside access to your hosts
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface GigabitEthernet0/1
description Solo trunk
nameif deshab
security-level 0
no ip address
!
interface GigabitEthernet0/1.12
description ServidoresAdm
vlan 12
nameif srvadm
security-level 50
ip address 10.1.2.1 255.255.255.128
!
interface GigabitEthernet0/1.20
vlan 20
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif segurtec
security-level 20
ip address 10.1.30.1 255.255.255.0
!
Guido.
Please rate if that was usefull to you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: