Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA Configuration / Hiding Internal IP from DMZ

Posted on 2012-03-09
3
425 Views
Last Modified: 2012-10-11
We have an ASA 5510 and we are trying to set up a new network segment that will function as a DMZ. We want requests to ports 25 and 443 to pass through the DMZ and then onto the internal network, which is connected through another interface. I am having trouble obfuscating the internal network segment from the DMZ. I don't want to give out any information about internal network addresses to the DMZ.

Let's say our DMZ address segment is 192.168.80.0/24 and our internal address segment is 192.168.240.0/24. I have successfully created rules that allow ports 25 and 443 from the outside into the DMZ and they route to the correct servers. Now, I'd like to be able to allow our DMZ servers to connect to obfuscated addresses (either fake addresses on the same network segment or ones that don't truly exist) instead of connecting directly to 192.168.240.X.

I do not entirely know if this is possible, but if you can generally describe without asking me to output my configuration, that would be preferable.

Thanks!
0
Comment
Question by:cculver
3 Comments
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 37704939
Hi, you cannot do that but mostly it doesn't make sense.

Your servers sit in DMZ and are separated from internal LAN: this means that you are allowing access from outsdie (internet) on them without compromising internal servers and workstations (that's fine).

By default on ASA, DMZ hosts cannot communicate with hosts behind inside interface (that's fine again), while yous internal hosts can initiate communication towards DMZ hosts.

Now, if you need to open any socket (TCP/IP connection an any port) from DMZ to internal hosts you must apply a rule (access-list and correct "nat-routing") to allow this. That is how it is supposed to work and it is fine.
It is not a security hole, just a monitored rule that allows your users do their job. If a server in DMZ gets compromised, yes, theorically from there you might try and reach your internal hosts, but it can only happen through the rule (which you must know) you have applied.

hope this helps
Max
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 60
Palo Alto Networks - find the sec zone 3 64
VLAN Configuration on Cisco Switch 8 18
WLC and radius 4 9
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question