Solved

Cisco ASA 5505 DMZ question

Posted on 2011-09-28
8
1,277 Views
Last Modified: 2012-05-12
I have a Cisco ASA 5505, with a license that only allows restricted DMZ access. Currently it is setup with two interfaces in each server that needs to be in the DMZ, one on our internal network, and one in our DMZ. This is so that we can access our database locally, and pull information to our hosted web sites, which are accesible from the outside. I'm under the impression that this configuration is wrong, and defeats the purpose of a DMZ. However during the time to get these sites up an running, I couldn't find another way. Can anybody lend some suggestions on the best way to allow communication between servers in the DMZ, and also keep it as secure as possible?

Thanks
0
Comment
Question by:QuietBot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36717377
Can you post the sanitized output from a SHOW VER on the ASA so we can check your licensing.      Also a post of your config would help as well.  
0
 

Author Comment

by:QuietBot
ID: 36717495
Show Ver:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10        
WebVPN Peers                : 2        
Dual ISPs                   : Disabled  
VLAN Trunk Ports            : 0        

This platform has a Base license.

Show Run:

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 20.8.81.170 255.255.255.248
 ospf cost 10
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 172.168.28.10 255.255.252.0
 ospf cost 10
!
interface Vlan252
 no forward interface Vlan2
 nameif dmz
 security-level 50
 ip address 172.168.252.1 255.255.255.0
!
interface Ethernet0/0
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/3
 switchport access vlan 2
 shutdown
!
interface Ethernet0/4
 switchport access vlan 2
 shutdown
!
interface Ethernet0/5
 switchport access vlan 2
 shutdown
!
interface Ethernet0/6
 switchport access vlan 2
 shutdown
!
interface Ethernet0/7
 switchport access vlan 252
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.168.252.0 255.255.255.0
static (dmz,outside) tcp 20.8.81.174 www 172.168.252.146 81 netmask 255.255.255.255
static (inside,outside) 20.8.81.172 192.221.0.20 netmask 255.255.255.255
static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255
static (dmz,outside) 20.8.81.171 172.168.252.114 netmask 255.255.255.255
static (dmz,outside) 20.8.81.173 172.168.252.143 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 20.8.81.169 1
route inside 172.168.0.0 255.255.252.0 172.168.28.1 1
route inside 172.168.4.0 255.255.252.0 172.168.28.1 1
route inside 172.168.8.0 255.255.252.0 172.168.28.1 1
route inside 172.168.12.0 255.255.252.0 172.168.28.1 1
route inside 172.168.16.0 255.255.252.0 172.168.28.1 1
route inside 172.168.20.0 255.255.252.0 172.168.28.1 1
route inside 172.168.24.0 255.255.252.0 172.168.28.1 1
route inside 192.221.0.0 255.255.0.0 172.168.28.1 1
route inside 172.168.32.0 255.255.252.0 172.168.28.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.168.0.0 255.255.255.0 inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0

service-policy global_policy global
prompt hostname context
Cryptochecksum:32a16f032b829e6c99e123c4aba69099
: end


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36717611
The version you run does indeed have a restricted DMZ because you have the BASE version.  Look here: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Specifically:   3 Two regular zones and one restricted zone that can only communicate with one other zone
This means that your DMZ can speak with the inside or with the outside, but not both.    

The best way to get this to work is to upgrade your 5505 lic to a security plus lic.    That way your DMZ can be hit through the ASA from the inside like it should be.   Then you can dump the 2nd interface in each server and control access to that server using access lists from the inside.    Plus, the dmz traffic from the hosts would be blocked from going inside unless the ASA specifically has rules built to allow it.  



Some things that jumped out at me:

>>static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255
I don't see the need for this.   I think you can safely remove it.  

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:QuietBot
ID: 36718150
That's what I was thinking, just wanted to get an opinion on the situation at hand.

also the static rule allows the outside IP to be forwarded the the internal website IP, pretty sure I need that to be able to access the site from outside

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36718262
You do need the static, but it looks like this line was in error:
>>static (outside,dmz) 172.168.252.114 20.8.81.171 netmask 255.255.255.255

This would be the correct one:
>>static (dmz,outside) 20.8.81.171 172.168.252.114 netmask 255.255.255.255

You can remove the 1st line.

0
 

Author Comment

by:QuietBot
ID: 36718450
Oh, I see what your saying, Thanks!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36719155
So you good on this then?   Anything else I can clear up for you?
0
 

Author Comment

by:QuietBot
ID: 36719175
That covers it, thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question