Solved

Cisco ASA 5505 DMZ question

Posted on 2011-09-28
8
1,257 Views
Last Modified: 2012-05-12
I have a Cisco ASA 5505, with a license that only allows restricted DMZ access. Currently it is setup with two interfaces in each server that needs to be in the DMZ, one on our internal network, and one in our DMZ. This is so that we can access our database locally, and pull information to our hosted web sites, which are accesible from the outside. I'm under the impression that this configuration is wrong, and defeats the purpose of a DMZ. However during the time to get these sites up an running, I couldn't find another way. Can anybody lend some suggestions on the best way to allow communication between servers in the DMZ, and also keep it as secure as possible?

Thanks
0
Comment
Question by:QuietBot
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36717377
Can you post the sanitized output from a SHOW VER on the ASA so we can check your licensing.      Also a post of your config would help as well.  
0
 

Author Comment

by:QuietBot
ID: 36717495
Show Ver:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10        
WebVPN Peers                : 2        
Dual ISPs                   : Disabled  
VLAN Trunk Ports            : 0        

This platform has a Base license.

Show Run:

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 20.8.81.170 255.255.255.248
 ospf cost 10
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 172.168.28.10 255.255.252.0
 ospf cost 10
!
interface Vlan252
 no forward interface Vlan2
 nameif dmz
 security-level 50
 ip address 172.168.252.1 255.255.255.0
!
interface Ethernet0/0
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/3
 switchport access vlan 2
 shutdown
!
interface Ethernet0/4
 switchport access vlan 2
 shutdown
!
interface Ethernet0/5
 switchport access vlan 2
 shutdown
!
interface Ethernet0/6
 switchport access vlan 2
 shutdown
!
interface Ethernet0/7
 switchport access vlan 252
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.168.252.0 255.255.255.0
static (dmz,outside) tcp 20.8.81.174 www 172.168.252.146 81 netmask 255.255.255.255
static (inside,outside) 20.8.81.172 192.221.0.20 netmask 255.255.255.255
static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255
static (dmz,outside) 20.8.81.171 172.168.252.114 netmask 255.255.255.255
static (dmz,outside) 20.8.81.173 172.168.252.143 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 20.8.81.169 1
route inside 172.168.0.0 255.255.252.0 172.168.28.1 1
route inside 172.168.4.0 255.255.252.0 172.168.28.1 1
route inside 172.168.8.0 255.255.252.0 172.168.28.1 1
route inside 172.168.12.0 255.255.252.0 172.168.28.1 1
route inside 172.168.16.0 255.255.252.0 172.168.28.1 1
route inside 172.168.20.0 255.255.252.0 172.168.28.1 1
route inside 172.168.24.0 255.255.252.0 172.168.28.1 1
route inside 192.221.0.0 255.255.0.0 172.168.28.1 1
route inside 172.168.32.0 255.255.252.0 172.168.28.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.168.0.0 255.255.255.0 inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0

service-policy global_policy global
prompt hostname context
Cryptochecksum:32a16f032b829e6c99e123c4aba69099
: end


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36717611
The version you run does indeed have a restricted DMZ because you have the BASE version.  Look here: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Specifically:   3 Two regular zones and one restricted zone that can only communicate with one other zone
This means that your DMZ can speak with the inside or with the outside, but not both.    

The best way to get this to work is to upgrade your 5505 lic to a security plus lic.    That way your DMZ can be hit through the ASA from the inside like it should be.   Then you can dump the 2nd interface in each server and control access to that server using access lists from the inside.    Plus, the dmz traffic from the hosts would be blocked from going inside unless the ASA specifically has rules built to allow it.  



Some things that jumped out at me:

>>static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255
I don't see the need for this.   I think you can safely remove it.  

0
 

Author Comment

by:QuietBot
ID: 36718150
That's what I was thinking, just wanted to get an opinion on the situation at hand.

also the static rule allows the outside IP to be forwarded the the internal website IP, pretty sure I need that to be able to access the site from outside

Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 33

Expert Comment

by:MikeKane
ID: 36718262
You do need the static, but it looks like this line was in error:
>>static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255

This would be the correct one:
>>static (dmz,outside) 20.8.81.171 172.168.252.114 netmask 255.255.255.255

You can remove the 1st line.

0
 

Author Comment

by:QuietBot
ID: 36718450
Oh, I see what your saying, Thanks!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36719155
So you good on this then?   Anything else I can clear up for you?
0
 

Author Comment

by:QuietBot
ID: 36719175
That covers it, thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now