Could someone explain the real differences between these two options on the ASA 8.2 release? I know a DMZ is assigned a different security level and the device has a real public IP assigned to it where the Public Server option is a server with a internal IP with one to one NAT. Which is more secure? Are they the same thing now?
Typically now a days, even DMZ hosts get a private IP. The firewall will NAT a public IP to either the DMZ host or an internal host. Which is more secure? IMO the DMZ is more secure. If for some reason the DMZ host gets compromised, the hacker would also have to break through from the DMZ to the internal network. You can completely block that access, so they could not access the internal network. If the NAT goes directly to the inside and a hacker compromises the system, they are already on the inside.
Hope that helps.
i see your point. So what is the best way to set up a DMZ? Configure an INSIDE, OUTSIDE, and DMZ seperate physical interfaces? Or use subinterfaces on the INTERNAL interface?
Whether to use 3 physical or to trunk depends on thoughput, number of interfaces, licensing, etc. When I have multiple DMZ's, I'll trunk all of the DMZ VLANs. If I have multiple insides, same thing. I prefer not to trunk inside and DMZ VLAN's on a single trunk.
That makes sense keeping them seperate. i guess my problem has been i couldn't figure out how to create the actual DMZ vlans. i have a 4 gig ports and two of them are active interfaces for INSIDE and OUTSIDE. If i was to create a third physical interface, for DMZ, would I create subinterfaces for the individual DMZ vlans? I have a vlan on my layer 3 switch that is just for the connection between my ASA and the layer 3 switch. The layer 3 switch does my intervlan routing.
Create a VLAN for each DMZ. The VLAN on your L3 switch should NOT have an SVI! Here's an example of the ASA with a trunked interface. Your switch would be configured as a normal 802.1Q trunk.
no ip address
ip address 172.16.100.1 255.255.255.0
ip address 192.168.100.1 255.255.255.0
Well i have two 4506s running GLBP and EIGRP, which i have a SVI on them just for the connection to the dual ASAs. So the ASA only has INSIDE on one physical interface. I don't understand why i'm not supposed to have an SVI on my 4506. Do you mean just the DMZ or both DMZ and INSIDE. Thanks for all of your help. I guess i'm just trying to understand the concept more than anything.
Just the DMZ. Sorry if I didn't make that clear. If you have an SVI on the switch, there's a hook into your internal network without going through ASA.
Thanks Collin, i believe i'll try this next maintenance window. But here is a twist. What if the servers are on a bladeserver running VM ware? Any experience with a DMZ host on a VM? Right now we just have that Public Server option. prior to the 8.2 release we just used static nat with acls.
I use 3 phisicals trunks dot1q.
1) Publics subinterfaces
2) SemiPublics subinterfaces
3) Local subinterfaces
But, if the hacked server found the way to pass traffic to other VLANs, you are lost. The best way to avoid this is to NOT permit admin connections to your switchs or firewalls from servers on the DMZ.
This show the config for a direct connected outside on Gi0/0 and a trunk for 3 inside VLANs on Gi1/1.
The ASA route the packets between its interfaces.
If you dont want to inspect traffic from servers to hosts, don't creat that interfaces in the ASA, just keep you L3-ASA VLAN to provide DMZ and ouside access to your hosts
ip address 184.108.40.206 255.255.255.248
description Solo trunk
no ip address
ip address 10.1.2.1 255.255.255.128
ip address 10.1.4.1 255.255.252.0
ip address 10.1.30.1 255.255.255.0
Please rate if that was usefull to you