DMZ public IP for video conference device on each floor

Hi we have a ASA firewall.

interfaces 3

internal
DMZ
outside

our server room has the DMZ interface connected to switch - 13 or so DMZ servers in the server room.

required is 4 public IP devices in meeting rooms on different floors to the server room - DMZ range public IP's

each floor has a switch - physical uplinks taken to connect to the server room
What then is the best way to get the public IP's into the meeting rooms - without physically running a cable from DMZ switch in server room to each meeting room, or bypassing firewall with a new cable from our CORE switch direct into DMZ switch

Can I VLAN the DMZ ASA interface - together with the  internal interface of ASA then vlan back to the meeting rooms- maybe sub-interfaces - any ideas

the vid conferencing equipment need public IP's - same range as current DMZ subnet - and also need to be in own VLAN - thanks
LVL 1
philb19Asked:
Who is Participating?
 
Ernie BeekExpertCommented:
Been thinking (I do that sometimes ;)

If you only want to extend the DMZ and only have one DMZ (and not planning on having more), you don't need to use subinterfaces on the ASA. Just set up the new (DMZ) VLAN on the switches and make the port that the ASAs DMZ interface is connected to an access port in that VLAN (assuming you use Cisco switches).

Then you are able to access the DMZ on every switch when you configure a port (on a switch) in that VLAN.
0
 
Ernie BeekExpertCommented:
To use VLANs on the ASA you need to create sub interfaces (so you're correct).
Something like:
interface GigabitEthernet0.10
vlan 10
0
 
philb19Author Commented:
Thats good thanks Erniebeek - I guess my confusion/problem lies with the ASA being a router in effect - and the dmz subnet (in server room) (dmz subnet gateway being the dmz interface ) -
So with the meeting rooms on different floors ( needing to be on this  DMZ subnet ) - then out to internet. ? - how do i achieve this?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Ernie BeekExpertCommented:
Don't make the (common) mistake to see the ASA as a router, because it isn't and doesn't quite work that way ;)

You'll need to set up the VLANs on the switches (normal network, DMZ, etc) define what ports go in to what VLAN and set up trunks for the connections between the switches. That way you can extend the DMZ VLAN to the switch(es) on which the devices reside.
0
 
philb19Author Commented:
thanks again - so the DMZ interface and the Internal interface on the ASA would also need to be on this new VLAN and have sub-interfaces to reflect -  Im guessing
0
 
philb19Author Commented:
Brilliant - I think I understand. - I have it stuck in my mind that all traffic on floors - goes through internal interface of ASA - but of course if devices are on the DMZ subnet with their gateway being the  ASA dmz interface, setting it up as you have outlined should work.

The DMZ switch is not Cisco its a Nortel but managed. Ive setup VLANS on them before - should be ok. thanks heaps
0
 
Ernie BeekExpertCommented:
My pleasure :)
If there's anything else, let me know.
0
 
pgolding00Commented:
while all the above is technically correct and will work, its not the best in terms of security. most security people would recommend not mixing the dmz and internal vlans on the same switches or trunks.

if you only have a single "inside" vlan/subnet, or if all the devices that require public addresses can be on the same vlan as the asa inside interface, you can put public addresses on the few devices that require them, point their default gateway to the real public side next hop address, and use identity nat (aka 1-to-1 nat or identity static) or static (for vers 8.2 and earlier). this will make these devices appear to be on the outside subnet, but protected by the asa. it looks strange to have devices in a subnet that does not exist at the physical place they are connected and pointing to a default gateway on a different vlan, but its the more proper way to do this in terms of security.

heres one example config:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#ByNat
more info:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1161298
0
 
philb19Author Commented:
Thanks I don't quite understand this part
 "point their default gateway to the real public side next hop address"

So you mean put the vid conference equipment on the floors in the "public" DMZ subnet IP range- Do you mean give them a different gateway than the other DMZ servers in the server room -which is  the DMZ interface on the ASA firewall?

if so what gateway address do i give the vid conf equipment? next hop means guessing here - the outside interface of ASA? - sorry confused with what you mean

PS - each floor is on its own VLAN so each vid conf device - different vlan - thanks
0
 
pgolding00Commented:
in the case where you have a dmz subnet (different to the asa outside subnet) on a third asa interface, you would not use what i have described. reviewing your initial comments, my suggestion might not be valid for your environment.

this is used where you might have a single subnet from isp with mask less than 30 bits (255.255.255.252, which only gives you gateway and host), eg it might be 1.2.3.0/25 or 255.255.255.128. so you might put 1.2.3.1 on the asa outside. assume the isp gateway is 1.2.3.126. then you can config 1.2.3.2 up to .125 on hosts connected to the vlan on the asa inside (maybe thats 192.168.50.0/24 - it does not matter for this example). on the host with 1.2.3.2/25, which is placed inside the asa (not on dmz interface) you give it default gateway 1.2.3.126 plus create the identity static or identity nat for 1.2.3.2, and everyone is happy. 1.2.3.2 can be accessed from the internet, based on the access-list config for that host. you need proxy arp enabled inside on the asa also, which is default.

with vlan per floor or a routed network behind the asa, this solution becomes problematic anyway.

it might be more academic than relevant to your network though, given your initial question. apologies if i have added confusion rather than clarity.
0
 
pgolding00Commented:
all that said, the same concept can be used to put outside subnet public addressed hosts behind the dmz interface, in exactly the same manner. that might be of more use to you?
0
 
Ernie BeekExpertCommented:
Though I agree that some might discuss the mixing of DMZ and internal VLANs on a switch, imho the same would go for creating a static NAT to a machine in the inside VLAN (making it publicly available). Even more, because when the machine gets compromised it's already in the inside network.........

That being said, I still stand for my provided solution (of course I do :) When set up right (no inter VLAN routing, etc.) there should be no worries about compromising security and it would be the simplest way to get things done in this particular setup.
0
 
pgolding00Commented:
in the real world, more often than not cost determines what is actually deployed, and it ends up as Ernie has suggested. my aim is to raise awareness of best practice, draw comparisons with and highlight differences between that and common practice.
0
 
Ernie BeekExpertCommented:
It's always good if there's someone around to raise awareness, especially because I'm more of the pragmatic approach. Don't feel attacked in any way, it's always good to create a little awareness :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.