10-22-2008 06:13 PM - edited 03-11-2019 07:01 AM
I have an ASA 5510 running 7.24 that has logical interfaces configured.
We will be allowing some outside vendors using our Internet link, they will be bringing their own laptops.
I was thinking of adding a DMZ and just connecting their laptops to the DMZ switch, in the new DMZ and then out the firewall to the Internet.
The only objective is to allow Internet access to these people, with no connection to our network.
I have a couple of questions:
1. can I add the logical DMZ without interruption of existing logical DMZs?
2. Would it look something like this:
global (outside) 1 interface
nat (DMZ1) 1 0.0.0.0 0.0.0.0
access-list dmz1 extended permit tcp any any eq www
access-list dmz1 extended permit tcp any any eq https
access-list dmz1 extended permit tcp any any eq ftp
access-list dmz1 extended permit udp any any eq domain
access-group dmz1 in interface DMZ1
10-22-2008 09:37 PM
Hi,
Yes, the above configuration should work without interruption to the existing logical DMZ, provided there are no human errors :)
And, while the above configuration will work, I would try and be more specific in your NAT Commands and ACL. For example, if 10.1.1.0/24 is the subnet of the DMZ Users, then I would configure:
global (outside) 1 interface
nat (DMZ1) 1 10.1.1.0 255.255.255.0
access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list dmz1 extended permit tcp 10.1.1.0 255.255.255.0 any eq ftp
access-list dmz1 extended permit udp 10.1.1.0 255.255.255.0 any eq domain
access-group dmz1 in interface DMZ1
Regards,
Arul
*Pls rate if it helps*
10-23-2008 08:03 AM
Thanks for the reply.
Can the ASA5510 act as a DHCP server and provide addresses to the clients in that DMZ?
10-23-2008 08:18 AM
Yes. Each interface can have its own DHCP server. You can limit the size of the pool.
Another option if you have people with wireless is to put a wireless unit out on the public side of the firewall. This is great if you have more than one ISP address.
10-23-2008 08:43 AM
Hi,
Yes, you can configure DHCP Services on the DMZ Interface. Please refer the below URL for details:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041659
Regards,
Arul
*Pls rate if it helps*
10-23-2008 03:57 PM
Suppose my asa public IP interface is
1.1.1.1
By doing this:
global (outside) 1 interface
nat (DMZ1) 1 10.1.1.0 255.255.255.0
will NAT all source traffic to:
1.1.1.1
so,
If I have another address in my public ip subnet that is not being used:
1.1.1.23
could I nat all the new DMZ traffic to the unused address by doing this:
global (outside) 1 1.1.1.23
nat (DMZ1) 1 10.1.1.0 255.255.255.0
And would it be a good idea to NAT this untrusted traffic to a diiferent address, or does it not really matter all that much?
10-23-2008 06:21 PM
Hi,
If you have a routable IP Address to spare, then I would go with Option 2. The reason being, if you configure PAT, there are only 65535 ports available, out of which the ASA picks a port above port number 1024 to do the PATTing. So, in your case if you do option 1, then both your inside and DMZ Users will be sharing the ports.
Also, like you mentioned, its easy to track the utilization, xlate, connections, etc if you have a separate IP Address. Please refer the below URL that has information on PAT.
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042445
Regards,
Arul
*Pls rate if it helps*
10-23-2008 07:55 PM
Something I noticed looking at the config.
I have a failover pair and the existing subinterfaces are showing a standby address, but the one I created is not:
!
interface Ethernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/2.6
vlan 6
nameif DMZ1
security-level 30
ip address 1.1.2.1 255.255.255.0 standby 1.1.2.2
interface Ethernet0/2.7
vlan 99
nameif New_DMZ
security-level 2
ip address 1.1.3.1 255.255.255.0
Currently the ASA is on the failover unit and the primary is in standby mode.
Do I need to do anything to have the "standby" designation on the interface?
10-23-2008 08:13 PM
Hi,
Yes, you need to configure the IP Address under E0/2.7 along with the standby address.
Example:
nterface Ethernet0/2.7
vlan 99
nameif New_DMZ
security-level 2
ip address 1.1.3.1 255.255.255.0 standby 1.1.3.2
Also, refer the below post from NETPRO on the use of standby address in Failover and also the best practice. Excellent information from the two posters.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1e320/1#selected_message
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide