Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

ASA Configuration / Hiding Internal IP from DMZ

We have an ASA 5510 and we are trying to set up a new network segment that will function as a DMZ. We want requests to ports 25 and 443 to pass through the DMZ and then onto the internal network, which is connected through another interface. I am having trouble obfuscating the internal network segment from the DMZ. I don't want to give out any information about internal network addresses to the DMZ.

Let's say our DMZ address segment is 192.168.80.0/24 and our internal address segment is 192.168.240.0/24. I have successfully created rules that allow ports 25 and 443 from the outside into the DMZ and they route to the correct servers. Now, I'd like to be able to allow our DMZ servers to connect to obfuscated addresses (either fake addresses on the same network segment or ones that don't truly exist) instead of connecting directly to 192.168.240.X.

I do not entirely know if this is possible, but if you can generally describe without asking me to output my configuration, that would be preferable.

Thanks!
0
cculver
Asked:
cculver
1 Solution
 
max_the_kingCommented:
Hi, you cannot do that but mostly it doesn't make sense.

Your servers sit in DMZ and are separated from internal LAN: this means that you are allowing access from outsdie (internet) on them without compromising internal servers and workstations (that's fine).

By default on ASA, DMZ hosts cannot communicate with hosts behind inside interface (that's fine again), while yous internal hosts can initiate communication towards DMZ hosts.

Now, if you need to open any socket (TCP/IP connection an any port) from DMZ to internal hosts you must apply a rule (access-list and correct "nat-routing") to allow this. That is how it is supposed to work and it is fine.
It is not a security hole, just a monitored rule that allows your users do their job. If a server in DMZ gets compromised, yes, theorically from there you might try and reach your internal hosts, but it can only happen through the rule (which you must know) you have applied.

hope this helps
Max
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now