Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ vs Public Sever option in 8.2

Could someone explain the real differences between these two options on the ASA 8.2 release? I know a DMZ is assigned a different security level and the device has a real public IP assigned to it where the Public Server option is a server with a internal IP with one to one NAT. Which is more secure? Are they the same thing now?

9 REPLIES

Re: DMZ vs Public Sever option in 8.2

Typically now a days, even DMZ hosts get a private IP. The firewall will NAT a public IP to either the DMZ host or an internal host. Which is more secure? IMO the DMZ is more secure. If for some reason the DMZ host gets compromised, the hacker would also have to break through from the DMZ to the internal network. You can completely block that access, so they could not access the internal network. If the NAT goes directly to the inside and a hacker compromises the system, they are already on the inside.

Hope that helps.

Community Member

Re: DMZ vs Public Sever option in 8.2

i see your point. So what is the best way to set up a DMZ? Configure an INSIDE, OUTSIDE, and DMZ seperate physical interfaces? Or use subinterfaces on the INTERNAL interface?

Re: DMZ vs Public Sever option in 8.2

Whether to use 3 physical or to trunk depends on thoughput, number of interfaces, licensing, etc. When I have multiple DMZ's, I'll trunk all of the DMZ VLANs. If I have multiple insides, same thing. I prefer not to trunk inside and DMZ VLAN's on a single trunk.

Community Member

Re: DMZ vs Public Sever option in 8.2

That makes sense keeping them seperate. i guess my problem has been i couldn't figure out how to create the actual DMZ vlans. i have a 4 gig ports and two of them are active interfaces for INSIDE and OUTSIDE. If i was to create a third physical interface, for DMZ, would I create subinterfaces for the individual DMZ vlans? I have a vlan on my layer 3 switch that is just for the connection between my ASA and the layer 3 switch. The layer 3 switch does my intervlan routing.

Re: DMZ vs Public Sever option in 8.2

Create a VLAN for each DMZ. The VLAN on your L3 switch should NOT have an SVI! Here's an example of the ASA with a trunked interface. Your switch would be configured as a normal 802.1Q trunk.

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Ethernet0/3.999

nameif dmz

security-level 50

ip address 172.16.100.1 255.255.255.0

!

interface Ethernet0/3.998

nameif dmz192

security-level 50

ip address 192.168.100.1 255.255.255.0

!

Community Member

Re: DMZ vs Public Sever option in 8.2

Well i have two 4506s running GLBP and EIGRP, which i have a SVI on them just for the connection to the dual ASAs. So the ASA only has INSIDE on one physical interface. I don't understand why i'm not supposed to have an SVI on my 4506. Do you mean just the DMZ or both DMZ and INSIDE. Thanks for all of your help. I guess i'm just trying to understand the concept more than anything.

Re: DMZ vs Public Sever option in 8.2

Just the DMZ. Sorry if I didn't make that clear. If you have an SVI on the switch, there's a hook into your internal network without going through ASA.

Community Member

Re: DMZ vs Public Sever option in 8.2

Thanks Collin, i believe i'll try this next maintenance window. But here is a twist. What if the servers are on a bladeserver running VM ware? Any experience with a DMZ host on a VM? Right now we just have that Public Server option. prior to the 8.2 release we just used static nat with acls.

Community Member

Re: DMZ vs Public Sever option in 8.2

I use 3 phisicals trunks dot1q.

1) Publics subinterfaces

2) SemiPublics subinterfaces

3) Local subinterfaces

But, if the hacked server found the way to pass traffic to other VLANs, you are lost. The best way to avoid this is to NOT permit admin connections to your switchs or firewalls from servers on the DMZ.

This show the config for a direct connected outside on Gi0/0 and a trunk for 3 inside VLANs on Gi1/1.

The ASA route the packets between its interfaces.

If you dont want to inspect traffic from servers to hosts, don't creat that interfaces in the ASA, just keep you L3-ASA VLAN to provide DMZ and ouside access to your hosts

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

interface GigabitEthernet0/1

description Solo trunk

nameif deshab

security-level 0

no ip address

!

interface GigabitEthernet0/1.12

description ServidoresAdm

vlan 12

nameif srvadm

security-level 50

ip address 10.1.2.1 255.255.255.128

!

interface GigabitEthernet0/1.20

vlan 20

nameif inside

security-level 100

ip address 10.1.4.1 255.255.252.0

!

interface GigabitEthernet0/1.30

vlan 30

nameif segurtec

security-level 20

ip address 10.1.30.1 255.255.255.0

!


Guido.

Please rate if that was usefull to you

204
Views
0
Helpful
9
Replies
CreatePlease to create content