cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
13
Replies

DMZ Advice

cowetacoit
Level 1
Level 1

I currently have a couple public servers on our internal network and i'm using the new Public Server option in ASA 8.2. What i have done is created a new interface on my asa called DMZ with sub interfaces in addtion to my current Inside and Outside. The DMZ is trunked into my LAN on a layer 2 vlan only so traffic isn't exposed. Outside Interface is 0, DMZ is 50, and inside is 100. I'm trying to figure out why i can't manage the DMZ server from my internal network. Any suggestions?

13 Replies 13

Collin Clark
VIP Alumni
VIP Alumni

How are you trying to manage it (RDP, SSH)? Do you have an inside ACL in place? I sit allowing the traffic? Can you see the DMZ server from the ASA?

Well, let me explain a little further. i actually failed to add the new DMZ vlan on the bladecenter switch so now i can get to it. This DMZ server is a VM on an ibm bladecenter. It is sitting on its own vlan which gets trunked back to the ASA on a seperate interface. Now our server admin can't join it to our domain. I have the DMZ ACL to the Outside interface disabled and have the DMZ interface allowing ip any to the inside interface. what is a best practice for managing a DMZ server? Configuring rules to allow RDP, DNS, HTTP, etc?

IMO a DMZ server should not be part of the domain so only the necessary ports should be open. If security is important use IPSec or RPC over HTTPS. Since you're going from a higher security interface to a lower one, you'll need to NAT. Do you have that in place? What does the logs say when the server guys try and add it to the domain?

The only NAT rule i have in place is the internal IP of the server mapped to the public IP.

You will need one from DMZ to inside and DMZ to outside (if you want internet access).

could you provide a CLI example of the dmz to inside? Thanks for your time!

Sure-

There a couple of ways to do it. Let's assume the inside subnet is 192.168.5.0 /24.

Translate all IPs

==================

static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0

Translate a single IP

======================

static (inside,dmz) 192.168.5.10 192.168.5.10 255.255.255.255

You could also do NAT exempt.

From reading the documentation for 8.2, i saw the same sort of rule. we use an entire 10.0.0.0 /8 scope. when i add static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 the asa accepts it but the ASDM won't allow it. The NAT rule ended up displaying in the ASDM after i added it though. I was able to ping the DMZ IP before i added this NAT so is it necessary?

NAT is not required when going from a higher security interface to a lower (such as your ping). When you go from a lower one to a higher one you have to NAT. The NAT statement you put in only effects traffic sourcing from the DMZ destined to the inside. I don't use ASDM so I can't help too much on what you saw.

Ok, so the (inside,dmz) was backwards.

I changed it to static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 and we still can't contact the domain controller.

Now it's backwards, it should be-

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

It's a bit confusing but what we are doing is telling the ASA that when the DMZ server wants to talk to a server on the 10 network, translate it to the same 10 network IP.

Check your log when you try and add the server to the domain and post what you see.

Michael

"Ok, so the (inside,dmz) was backwards."

No it wasn't. What Collin was explaining was that if you wanted to ping the DMZ from inside you do not need a NAT statement.

If however you wanted to initiate any connection from the DMZ to the inside then you will need

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

although personally i wouldn't use a static that big ie. the whole 10.0.0.0/8 internal network.

As for the domain controller thing i agree totally with Collin in that you shouldn't run a machine in the DMZ that is part of your internal domain - Windows networking is just not secure enough and you end up opening no end of ports.

Does it really need to be a member of the internal domain or is it just so you can remotely manage it ?

If you absolutely must do this then if you need to find out the ports

1) add the NAT rule as above

2) add an acl to the dmz interface

access-list DMZIN permit ip host 10.0.0.0 255.0.0.0 log

then you should at least be able to see by checking the logging what ports are being used.

Jon

Thanks guys, i think i have found the solution. I got it working and added a couple acls for the dmz server to communicate with the inside network. We're also going to be configuring something called vShield in VMWare 4.0.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: