DMZ Advice

Unanswered Question
Sep 2nd, 2009
User Badges:

I currently have a couple public servers on our internal network and i'm using the new Public Server option in ASA 8.2. What i have done is created a new interface on my asa called DMZ with sub interfaces in addtion to my current Inside and Outside. The DMZ is trunked into my LAN on a layer 2 vlan only so traffic isn't exposed. Outside Interface is 0, DMZ is 50, and inside is 100. I'm trying to figure out why i can't manage the DMZ server from my internal network. Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 09/02/2009 - 05:22
User Badges:
  • Purple, 4500 points or more

How are you trying to manage it (RDP, SSH)? Do you have an inside ACL in place? I sit allowing the traffic? Can you see the DMZ server from the ASA?

cowetacoit Wed, 09/02/2009 - 11:03
User Badges:

Well, let me explain a little further. i actually failed to add the new DMZ vlan on the bladecenter switch so now i can get to it. This DMZ server is a VM on an ibm bladecenter. It is sitting on its own vlan which gets trunked back to the ASA on a seperate interface. Now our server admin can't join it to our domain. I have the DMZ ACL to the Outside interface disabled and have the DMZ interface allowing ip any to the inside interface. what is a best practice for managing a DMZ server? Configuring rules to allow RDP, DNS, HTTP, etc?

Collin Clark Wed, 09/02/2009 - 11:07
User Badges:
  • Purple, 4500 points or more

IMO a DMZ server should not be part of the domain so only the necessary ports should be open. If security is important use IPSec or RPC over HTTPS. Since you're going from a higher security interface to a lower one, you'll need to NAT. Do you have that in place? What does the logs say when the server guys try and add it to the domain?

cowetacoit Wed, 09/02/2009 - 11:21
User Badges:

The only NAT rule i have in place is the internal IP of the server mapped to the public IP.

Collin Clark Wed, 09/02/2009 - 11:25
User Badges:
  • Purple, 4500 points or more

You will need one from DMZ to inside and DMZ to outside (if you want internet access).

cowetacoit Wed, 09/02/2009 - 11:30
User Badges:

could you provide a CLI example of the dmz to inside? Thanks for your time!

Collin Clark Wed, 09/02/2009 - 11:59
User Badges:
  • Purple, 4500 points or more

Sure-


There a couple of ways to do it. Let's assume the inside subnet is 192.168.5.0 /24.


Translate all IPs

==================

static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0


Translate a single IP

======================

static (inside,dmz) 192.168.5.10 192.168.5.10 255.255.255.255


You could also do NAT exempt.


cowetacoit Wed, 09/02/2009 - 12:24
User Badges:

From reading the documentation for 8.2, i saw the same sort of rule. we use an entire 10.0.0.0 /8 scope. when i add static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 the asa accepts it but the ASDM won't allow it. The NAT rule ended up displaying in the ASDM after i added it though. I was able to ping the DMZ IP before i added this NAT so is it necessary?

Collin Clark Wed, 09/02/2009 - 12:29
User Badges:
  • Purple, 4500 points or more

NAT is not required when going from a higher security interface to a lower (such as your ping). When you go from a lower one to a higher one you have to NAT. The NAT statement you put in only effects traffic sourcing from the DMZ destined to the inside. I don't use ASDM so I can't help too much on what you saw.

cowetacoit Wed, 09/02/2009 - 13:02
User Badges:

Ok, so the (inside,dmz) was backwards.

I changed it to static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 and we still can't contact the domain controller.

Collin Clark Wed, 09/02/2009 - 13:07
User Badges:
  • Purple, 4500 points or more

Now it's backwards, it should be-


static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


It's a bit confusing but what we are doing is telling the ASA that when the DMZ server wants to talk to a server on the 10 network, translate it to the same 10 network IP.


Check your log when you try and add the server to the domain and post what you see.



Jon Marshall Wed, 09/02/2009 - 13:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


"Ok, so the (inside,dmz) was backwards."


No it wasn't. What Collin was explaining was that if you wanted to ping the DMZ from inside you do not need a NAT statement.


If however you wanted to initiate any connection from the DMZ to the inside then you will need


static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


although personally i wouldn't use a static that big ie. the whole 10.0.0.0/8 internal network.


As for the domain controller thing i agree totally with Collin in that you shouldn't run a machine in the DMZ that is part of your internal domain - Windows networking is just not secure enough and you end up opening no end of ports.


Does it really need to be a member of the internal domain or is it just so you can remotely manage it ?


If you absolutely must do this then if you need to find out the ports


1) add the NAT rule as above

2) add an acl to the dmz interface


access-list DMZIN permit ip host 10.0.0.0 255.0.0.0 log


then you should at least be able to see by checking the logging what ports are being used.


Jon

cowetacoit Thu, 09/03/2009 - 09:38
User Badges:

Thanks guys, i think i have found the solution. I got it working and added a couple acls for the dmz server to communicate with the inside network. We're also going to be configuring something called vShield in VMWare 4.0.

Actions

This Discussion