Dear Experts,
I'm in the process of brain storming how I want to set up a DMZ on my ASA 5510. We'll be doing some network changes and I want all my web servers to sit on the DMZ. I posted my config for your review.
I need advice/suggestions on how the best way to set up the folling:
DMZ subnet will be: 172.16.1.0/24
Public addresses for DMZ server will be: 205.154.x.12, 205.154.x.13 etc.
Web server private IP's: 172.16.1.1, 172.16.1.2 etc.
I would need people to be able to access the DMZ servers from the outside but I will also need some of my private lan subnets to be able to talk to some of the servers on the DMZ. I may also want to add some acls so only certain ports are open from my local lan to the DMZ.
I appreciate your help and suggestions!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Medassurant,
Could you give me an example with the config I attached earlier. I want to create an ACL that will allow only 10.229.24.0 subnet to talk to the DMZ servers but no one else on my local LAN. I'm a little confused as to what interfaces I would apply the acls to. If I apply it to my inside "in" interface, I don't want it interferring with my other users going out to the internet , etc.
Thanks for your help!
sure here is a quick example config let me know if the acls are off but its pretty straight forward
you have to set up four thing
nat
routes
acls
and apply the acls
access-list outside_int extended permit tcp any host 209.165.200.227 eq 80
access-list dmz_int permit tcp host 172.16.1.12 eq 80
access-list inside extended line 1 deny tcp any host 172.16.1.10 eq 1433
access-list inside extended line 2 permit ip any any log
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (dmz,outside) 205.154.x.12 172.16.1.12 netmask 255.255.255.255 0 0
access-group outside_int in interface outside
access-group dmz_int in interface dmz
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 209.165.200.226 1
If I'm reading this right you're applying this ACL to block all traffic going to a host on my DMZ from the local LAN:
access-list inside extended line 1 deny tcp any host 172.16.1.10 eq 1433
access-list inside extended line 2 permit ip any any log
And... this rule (static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0) is allowing the 10.1.1.0 subnet to talk to all host on the DMZ while still restricting access on the other acl?
(static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0) is not a rule is a nat statement which says to keep 10.1.1.0 network addresses the same when they are going to the dmz interface. The config I gave is a nice example of what is required, my inside acl only denies access to 172.16.1.12 over port 1433 but it could read
access-list inside extended line 1 deny ip any host 172.16.1.10 log
which would deny all traffic from behind the inside interface to that dmz host.
Okay,
So for my current situation I would do this:
static (dmz,outside) 205.154.1.1 171.16.1.10 netmask 255.255.255.255
static (inside,dmz) 10.229.24.0 10.229.24.0 netmask 255.255.255.0
static (inside,dmz) 10.101.30.0 10.101.30.0 netmask 255.255.255.0
access-list out_in extended permit tcp any host 205.154.1.1 eq 80
access-list dmz_in extended permit tcp host 172.16.1.10 any eq 80
access-group out_in in outside
access-group dmz_in in dmz
Now would I need an acl for my inside interface since I have the nat statements in place? From a security stand point - would this be an effective way of doing it to protect my inside LAN?
I kind of had one setup for certain ports outbound already but disabled it. Check out this acl and let me know what you think for my inside in acl:
access-list inside_out extended permit tcp host 10.229.24.110 any
access-list inside_out extended permit tcp host 10.229.26.19 any
access-list inside_out extended permit tcp 10.229.24.0 255.255.0.0 172.16.1.10 eq 80
access-list inside_out extended permit tcp 10.101.30.0 255.255.0.0 172.16.1.10 eq 80
access-list inside_out extended permit tcp 10.101.0.0 255.255.0.0 any object-group tcp-inside-out-ports
access-list inside_out extended permit tcp 10.229.0.0 255.255.0.0 any object-group tcp-inside-out-ports
access-list inside_out extended permit tcp 192.168.100.0 255.255.255.0 any object-group tcp-inside-out-ports
access-list inside_out extended permit udp 10.101.0.0 255.255.0.0 any object-group udp-inside-out-ports
access-list inside_out extended permit udp 10.229.0.0 255.255.0.0 any object-group udp-inside-out-ports
access-list inside_out extended permit udp 192.168.100.0 255.255.255.0 any object-group udp-inside-out-ports
access-list inside_out extended permit tcp host 10.229.24.62 any eq smtp
access-list inside_out extended permit icmp any any echo
access-list inside_out extended permit ip 10.101.0.0 255.255.0.0 192.168.105.0 255.255.255.0
access-list inside_out extended permit ip 10.229.0.0 255.255.0.0 192.168.105.0 255.255.255.0
access-list inside_out extended deny ip any any log
object-group service tcp-inside-out-ports tcp
port-object eq https
port-object eq www
port-object eq domain
port-object eq ftp
port-object eq pop3
port-object eq 123
port-object eq 3389
port-object eq 4443
port-object eq 8080
port-object eq 8250
port-object eq 33
port-object eq 7880
object-group service udp-inside-out-ports udp
port-object eq domain
port-object eq ntp
port-object eq tftp
port-object range 33434 33535
This is what I tried on my ASA and I can't ping it from my workstation on the 10.229.24.0 LAN. Here is what I applied for testing purposes:
access-list inside_in extended permit ip any any log
access-group inside_in in interface inside
access-list dmz_in extended permit ip any any log
access-group dmz_in in interface dmz
static (inside,dmz) 10.229.24.0 10.229.24.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
I can ping 172.16.1.253 ( the switch connected to the DMZ interface) from the ASA but that's about it.
Cool. Thanks for all your help. One last question:
Instead of doing acls to restrict access can I do something like this:
static (inside,dmz) tcp 10.229.24.0 80 172.16.1.10 80
static (dmz,inside) tcp 172.16.1.10 80 10.229.24.0 80
I'm just worried about applying an acl to my inside interface. I applied it a few weeks back and I got tons of calls about people not being to get to certain websites, databases etc. What do you recommend in this situation? It was pretty much that acl example I posted earlier.
Use the acl make it an ip any any at first then add more statements to it as you get better at determining what traffic you dont want people to reach on your dmz. When you have time setup a syslog server and send the logs from the asa to it and you can see all of your traffic hitting the acls, this will give you a good picture of what is going throug your firewall and let you set up the appropriate rules.
I was referring to my users going out to my internet. When I applied the acl in my inside interface I had many complaints about not being able to hit certain websites and databases. So you're saying to still add permit ip any any log and monitor the traffic for a few days and create a list of appropriate port to allow?
I tried blocking myself from being able to ping the host in the dmz by doing this:
access-list dmz_in extended deny tcp host 172.16.1.253 any
and I also tried
access-list dmz_in extended deny tcp any host 172.16.1.253
access-group dmz_in in interface dmz
and I can still ping 172.16.1.253 - what am I doing wrong?
Business Accounts
Answer for Membership
by: MedassurantPosted on 2009-11-04 at 10:19:56ID: 25742176
Here is the easy way
http://www.cisco.com/en/US