How can I setup DMZ network

Unanswered Question
May 10th, 2014
User Badges:

Hi,

I would like to setup DMZ in my network to access 5 servers from internet. We have total 6 public IP's from service provider. We have firewall ASA 5510 with 4 ports. 1 is used for  outisde interface with public IP, another 2 are set in redundant interface as inside interface and 1 port is free. i want to connect all the five servers to this port as my management does not want to get DMZ traffic in to inside network. firewall is setup in router mode. Can someone please help to configure this?

 

Regards

Mukesh Patel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mshupatel Sat, 05/10/2014 - 22:19
User Badges:

For more information, IOS for ASA is 8.2.2

 

 

Ruggero Delcuratolo Sun, 05/11/2014 - 03:46
User Badges:

Hi Mukesh,

Your outside security level needs to be configured as security-level 0, inside security-level 100, DMZ security-level 50 (means it is less trusted than the inside and more trusted than the outside.

Create acls for the DMZ:

For example:

access-list acl_dmx extended permit ip any host server1

access-list acl_dmx extended permit ip any host server2

access-list acl_dmx extended deny ip any any

etc

This allows DMZ hosts to be contacted and to reply but not to send traffic to inside or outside directly unless you want to allow it, if you want to allow them to access some I-net sites for example you can create a permit rule using source dmz server and destination the public IP

Apply the acl to the interface:

access-group acl_dmz in interface dmz

Deny access from inside to DMZ if needed

access-list acl_inside extended deny ip any host dmz_server1

etc

Now if your DMZ hosts are in a private space, you also need to NAT them to a public IP to make it reachable to outside hosts, you can do it in this way:

static (dmz,outside) Public_IP_Reserved_For_Server1 Server1_Private_DMZ_IP netmask 255.255.255.255

At this point you have NAT a public IP to a DMZ server IP and outside hosts can use the public IP to talk to your DMZ host.

 

 

 

 

mshupatel Sun, 05/11/2014 - 04:36
User Badges:

Hi Ruggero,

Thank you very much for the reply. 

As there are total 5 servers and I only have one port in firewall so i am thinking to connect switch to the 4th port of the firewall and private ip range i.e 172.16.1.0/24 will be configured on the server. I have a small doubt, what is the configuration required for 4th port on firewall.

 

Regards

Mukesh Patel.

Ruggero Delcuratolo Mon, 05/12/2014 - 03:29
User Badges:

Interface GigabitEthernetx/x

 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0

no shut

!

The FW interface becomes the GW to your servers and you can assign static IPs to the Servers in the 172.16.1.0/24 range then you can install a L2 switch and create a shared L2 vlan between the FW DMZ interface and the Servers that needs to talk to the DMZ interface of the FW.

Then you can configure acls for DMZ and apply them to the DMZ interface.

access-group acl_dmz in interface dmz

Do not forget that to make the 172.16.1.0/24 servers reachable from outside, you need to create static NAT entries for each server. For example:

 static (dmz,outside) Server_Public_IP_1 172.16.1.2 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_2 172.16.1.3 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_3 172.16.1.4 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_4 172.16.1.5 netmask 255.255.255.255

static (dmz,outside) Server_Public_IP_5 172.16.1.6 netmask 255.255.255.255

mshupatel Mon, 05/12/2014 - 04:31
User Badges:

Thank you very much Ruggero,

I am going to try this solution and will let you know.

 

mshupatel Thu, 05/15/2014 - 04:33
User Badges:

Hi Rugero,

 

I have done the configuration as you said but still i am not able to access server from the internet.  Please see the attached config of my firewall.

 

Ruggero Delcuratolo Thu, 05/15/2014 - 04:54
User Badges:

Try changing it into this:

nat (dmz) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
!
This defines what your DMZ host can source:
no access-list acl_dmz extended permit tcp any host 172.168.1.1 eq 8080 
no access-list acl_dmz extended deny ip any any 
access-list acl_dmz extended deny ip any object-group branch-network **Denies them access to inside
access-list acl_dmz extended permit ip any any **Allows them to open anything that is not in the inside, like www
!
Just for testing you can turn on ICMP on the DMZ hosts, and remove it later:
access-list outside_access_in extended permit tcp any host public_IP eq 8080
access-list outside_access_in extended permit icmp any host public_IP echo-reply
mshupatel Sun, 05/25/2014 - 04:49
User Badges:

Hi Rugero,

I have tried above solution but still it did not work. We have cisco 3825 router before ASA. Please find attached config of it. I did not find anything which can block traffic from 3825 router. Please let me know if there is anything wrong with this router config.

 

Regards

Mukesh

Attachment: 
Ruggero Delcuratolo Tue, 05/27/2014 - 00:29
User Badges:

Hi Mukesh,

The Firewall configuration is correct, however when you configure a static NAT between the DMZ host and a public IP, you need to make sure that the Internet is capable of routing to your Firewall defined static NAT IPs via the Internet Routers.

In your Router I am just seeing that you have a default route to the Internet and an internal route to 10.0.0.0.

Normally the Internet Router connects to the ISP Router with BGP and it advertise the Public IPs subnets to the Internet via the ISP Router.

Your ISP Router will publish your public subnets to the Internet via BGP and point the Internet users to your CPE Internet Router.

Your CPE Internet Router will then route your public IPs to the Firewall outside Interface so that they can match the DMZ static IP NAT rule that you defined.

Try to do a traceroute from the Internet to your public DMZ IPs and see where it stops and where it goes, that will tell you exactly where the issue is.

mshupatel Thu, 06/12/2014 - 12:13
User Badges:

Hi Ruggero,

Thank you very much for helping me. since last coupleof days, I was trying to solve this issue. Now it is working and your solution has worked but with little change.

what I did is, I removed following ACL statement.

access-list outside_access_in extended permit tcp any host public_IP eq 8080

and I have added following ACL statement

access-list outside_access_in extended permit ip any host public_IP 

After adding above statement, i was able to ping public IP. 

Now the problem is we are going to run one application on our server which will use port 8080. We dont want to open all the ports. Do you have any idea what can be done to allow only traffic for port 8080? 

If I permit IP then it means all ports are open which will have security issues.

Regards

Mukesh

Ruggero Delcuratolo Fri, 06/13/2014 - 01:46
User Badges:

Hi Mukesh,

If you want to allow only port 8080 and ICMP ping, then you just have to restrict the ip any any using the tcp and the ports. For example, this one allows Ping, port 80, port 443 and port 8080:

access-list outside_access_in extended permit icmp any host public_IP For ping to work
access-list outside_access_in extended permit icmp any host public_IP echo-reply For ping to work
access-list outside_access_in extended permit tcp host any host public_IP eq www For port 80 to work
access-list outside_access_in extended permit tcp host any host public_IP eq https For port 443 to work
access-list outside_access_in extended permit tcp host any host public_IP eq 8080 For port 8080 to work

 

Actions

This Discussion