Solved: Re: Firewall ASA source server question

Amafsha1 · ‎03-19-2018

Please forgive me as I am learning ASA recently.

Let's say I have 3 configured interfaces on my ASA:

1. Internal

2. External

3. DMZ

Let's say I have a server called "web-server" @ 1.1.1.1.

Let's say I already have a rule on the firewall that already exists, and it says "source web-server_1.1.1.1" "destination-outside to world"

Now Let's say when I look at this rule under "Access Rules", it's under the category of "DMZ".

Does this automatically mean that this web-server MUST be in the DMZ, since the rule states the web-server as source under the DMZ category?

Jon Marshall · ‎03-20-2018

You would only apply an acl for the web server on the firewall interface where the traffic will arrive so it won't be both interfaces or it shouldn't because you have in effect bypassed the DMZ by doing this.

So if the firewall sends traffic to the web server via the DMZ interface and traffic from the web server arrives at the firewall on the DMZ interface then that is where you should use an acl for the web server.

Jon

View solution in original post

Alex D. Silva Gutierrez · ‎03-19-2018

Hello Amafsha1,

In ASA perspective, you need to think from here this connect will come from.

I.e; your web server will initiate the connection to the Internet.
Your web server is on the network which the firewall has the DMZ interface connected.

So you need to create a access-list that is associate to the DMZ interface. Like below

Access-list dmz_in TCP host web-server host internet-ip-address eq 80

Amafsha1 · ‎03-19-2018

"Your web server is on the network which the firewall has the DMZ interface connected."

Ok, so what does the DMZ interface consist of? Does it consist of a bunch of subnets that get classified as the "dmz interface" under the firewall... in which those subnets need to take the path of the DMZ interface to the get to the internet like the "webserver"?

The part that confuses is me is - how can the webserver be put in a rule as source for the "inside" and source for the "dmz" If the webserver is truly behind the DMZ, then why would I ever write a rule specifying the webserver as source for the inside??

johnd2310 · ‎03-19-2018

Hi,

What is the ip address of the Web server and what is the ip address of the DMZ interface? If they are in the same network, then Web Server is behind DMZ interface.

Thanks

John

**Please rate posts you find helpful**

Amafsha1 · ‎03-19-2018

The webserver and the DMZ interface ip address are on different subnets and that was a great question because that is what confuses me the most:

When people say "the webserver is in the DMZ" what do they mean from a firewall standpoint?

Jon Marshall · ‎03-20-2018

They mean the firewall will receive and transmit traffic to and from the web server using it's DMZ interface.

That does not mean the web server has to be in the same subnet as the DMZ interface because you could have a L3 device in the DMZ routing multiple subnets but this is unusual ie. usually, as John says, the web server would have an IP from the same subnet.

If you want to work out which interface your firewall is using for the web server then first check the interface IP subnets on the firewall and see if any of them are using the same IP subnet as the web server.

If they aren't then look at the routing table on the firewall to see which interface the firewall uses to get to the web server subnet.

Jon

Amafsha1 · ‎03-20-2018

wow thank you Jon, you made this SO much more clear for me now. Once I saw the routing table it started making more sense. The webserver is not on the same subnet as the dmz interface but there is a static route that points the webserver to the dmz interface(gateway IP)

Ok, now I have one last question: Is it possible to write a rule under both the "inside" and "dmz" interface where a webserver is the "source"? I know obviously that writing a rule under the dmz interface for the webserver to be source is possible since it's default ip gateway is the dmz, but is it possible to write a rule under the inside interface where the webserver is the source. I I know it's a weird question, I'm just wondering if it makes logical sense because from what I'm understanding it wouldn't because the webservers default IP gateway is the dmz interface, so having a default ip gateway for the inside interface subnet would mean 2 different static routes for the same webserver which wouldn't make sense right?

Jon Marshall · ‎03-20-2018

You would only apply an acl for the web server on the firewall interface where the traffic will arrive so it won't be both interfaces or it shouldn't because you have in effect bypassed the DMZ by doing this.

So if the firewall sends traffic to the web server via the DMZ interface and traffic from the web server arrives at the firewall on the DMZ interface then that is where you should use an acl for the web server.

Jon