I would like to setup DMZ in my network to access 5 servers from internet. We have total 6 public IP's from service provider. We have firewall ASA 5510 with 4 ports. 1 is used for outisde interface with public IP, another 2 are set in redundant interface as inside interface and 1 port is free. i want to connect all the five servers to this port as my management does not want to get DMZ traffic in to inside network. firewall is setup in router mode. Can someone please help to configure this?
Your outside security level needs to be configured as security-level 0, inside security-level 100, DMZ security-level 50 (means it is less trusted than the inside and more trusted than the outside.
Create acls for the DMZ:
access-list acl_dmx extended permit ip any host server1
access-list acl_dmx extended permit ip any host server2
access-list acl_dmx extended deny ip any any
This allows DMZ hosts to be contacted and to reply but not to send traffic to inside or outside directly unless you want to allow it, if you want to allow them to access some I-net sites for example you can create a permit rule using source dmz server and destination the public IP
Apply the acl to the interface:
access-group acl_dmz in interface dmz
Deny access from inside to DMZ if needed
access-list acl_inside extended deny ip any host dmz_server1
Now if your DMZ hosts are in a private space, you also need to NAT them to a public IP to make it reachable to outside hosts, you can do it in this way:
static (dmz,outside) Public_IP_Reserved_For_Server1 Server1_Private_DMZ_IP netmask 255.255.255.255
At this point you have NAT a public IP to a DMZ server IP and outside hosts can use the public IP to talk to your DMZ host.
Thank you very much for the reply.
As there are total 5 servers and I only have one port in firewall so i am thinking to connect switch to the 4th port of the firewall and private ip range i.e 172.16.1.0/24 will be configured on the server. I have a small doubt, what is the configuration required for 4th port on firewall.
ip address 172.16.1.1 255.255.255.0
The FW interface becomes the GW to your servers and you can assign static IPs to the Servers in the 172.16.1.0/24 range then you can install a L2 switch and create a shared L2 vlan between the FW DMZ interface and the Servers that needs to talk to the DMZ interface of the FW.
Then you can configure acls for DMZ and apply them to the DMZ interface.
access-group acl_dmz in interface dmz
Do not forget that to make the 172.16.1.0/24 servers reachable from outside, you need to create static NAT entries for each server. For example:
static (dmz,outside) Server_Public_IP_1 172.16.1.2 netmask 255.255.255.255
static (dmz,outside) Server_Public_IP_2 172.16.1.3 netmask 255.255.255.255
static (dmz,outside) Server_Public_IP_3 172.16.1.4 netmask 255.255.255.255
static (dmz,outside) Server_Public_IP_4 172.16.1.5 netmask 255.255.255.255
static (dmz,outside) Server_Public_IP_5 172.16.1.6 netmask 255.255.255.255
Try changing it into this:
I have tried above solution but still it did not work. We have cisco 3825 router before ASA. Please find attached config of it. I did not find anything which can block traffic from 3825 router. Please let me know if there is anything wrong with this router config.
The Firewall configuration is correct, however when you configure a static NAT between the DMZ host and a public IP, you need to make sure that the Internet is capable of routing to your Firewall defined static NAT IPs via the Internet Routers.
In your Router I am just seeing that you have a default route to the Internet and an internal route to 10.0.0.0.
Normally the Internet Router connects to the ISP Router with BGP and it advertise the Public IPs subnets to the Internet via the ISP Router.
Your ISP Router will publish your public subnets to the Internet via BGP and point the Internet users to your CPE Internet Router.
Your CPE Internet Router will then route your public IPs to the Firewall outside Interface so that they can match the DMZ static IP NAT rule that you defined.
Try to do a traceroute from the Internet to your public DMZ IPs and see where it stops and where it goes, that will tell you exactly where the issue is.
Thank you very much for helping me. since last coupleof days, I was trying to solve this issue. Now it is working and your solution has worked but with little change.
what I did is, I removed following ACL statement.
access-list outside_access_in extended permit tcp any host public_IP eq 8080
and I have added following ACL statement
access-list outside_access_in extended permit ip any host public_IP
After adding above statement, i was able to ping public IP.
Now the problem is we are going to run one application on our server which will use port 8080. We dont want to open all the ports. Do you have any idea what can be done to allow only traffic for port 8080?
If I permit IP then it means all ports are open which will have security issues.
If you want to allow only port 8080 and ICMP ping, then you just have to restrict the ip any any using the tcp and the ports. For example, this one allows Ping, port 80, port 443 and port 8080: