Solved

DMZ public IP for video conference device on each floor

Posted on 2013-01-22
14
649 Views
Last Modified: 2013-02-02
Hi we have a ASA firewall.

interfaces 3

internal
DMZ
outside

our server room has the DMZ interface connected to switch - 13 or so DMZ servers in the server room.

required is 4 public IP devices in meeting rooms on different floors to the server room - DMZ range public IP's

each floor has a switch - physical uplinks taken to connect to the server room
What then is the best way to get the public IP's into the meeting rooms - without physically running a cable from DMZ switch in server room to each meeting room, or bypassing firewall with a new cable from our CORE switch direct into DMZ switch

Can I VLAN the DMZ ASA interface - together with the  internal interface of ASA then vlan back to the meeting rooms- maybe sub-interfaces - any ideas

the vid conferencing equipment need public IP's - same range as current DMZ subnet - and also need to be in own VLAN - thanks
0
Comment
Question by:philb19
  • 6
  • 4
  • 4
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38808987
To use VLANs on the ASA you need to create sub interfaces (so you're correct).
Something like:
interface GigabitEthernet0.10
vlan 10
0
 

Author Comment

by:philb19
ID: 38809042
Thats good thanks Erniebeek - I guess my confusion/problem lies with the ASA being a router in effect - and the dmz subnet (in server room) (dmz subnet gateway being the dmz interface ) -
So with the meeting rooms on different floors ( needing to be on this  DMZ subnet ) - then out to internet. ? - how do i achieve this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809074
Don't make the (common) mistake to see the ASA as a router, because it isn't and doesn't quite work that way ;)

You'll need to set up the VLANs on the switches (normal network, DMZ, etc) define what ports go in to what VLAN and set up trunks for the connections between the switches. That way you can extend the DMZ VLAN to the switch(es) on which the devices reside.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:philb19
ID: 38809296
thanks again - so the DMZ interface and the Internal interface on the ASA would also need to be on this new VLAN and have sub-interfaces to reflect -  Im guessing
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 38809343
Been thinking (I do that sometimes ;)

If you only want to extend the DMZ and only have one DMZ (and not planning on having more), you don't need to use subinterfaces on the ASA. Just set up the new (DMZ) VLAN on the switches and make the port that the ASAs DMZ interface is connected to an access port in that VLAN (assuming you use Cisco switches).

Then you are able to access the DMZ on every switch when you configure a port (on a switch) in that VLAN.
0
 

Author Comment

by:philb19
ID: 38809555
Brilliant - I think I understand. - I have it stuck in my mind that all traffic on floors - goes through internal interface of ASA - but of course if devices are on the DMZ subnet with their gateway being the  ASA dmz interface, setting it up as you have outlined should work.

The DMZ switch is not Cisco its a Nortel but managed. Ive setup VLANS on them before - should be ok. thanks heaps
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809635
My pleasure :)
If there's anything else, let me know.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38812909
while all the above is technically correct and will work, its not the best in terms of security. most security people would recommend not mixing the dmz and internal vlans on the same switches or trunks.

if you only have a single "inside" vlan/subnet, or if all the devices that require public addresses can be on the same vlan as the asa inside interface, you can put public addresses on the few devices that require them, point their default gateway to the real public side next hop address, and use identity nat (aka 1-to-1 nat or identity static) or static (for vers 8.2 and earlier). this will make these devices appear to be on the outside subnet, but protected by the asa. it looks strange to have devices in a subnet that does not exist at the physical place they are connected and pointing to a default gateway on a different vlan, but its the more proper way to do this in terms of security.

heres one example config:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#ByNat
more info:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1161298
0
 

Author Comment

by:philb19
ID: 38813023
Thanks I don't quite understand this part
 "point their default gateway to the real public side next hop address"

So you mean put the vid conference equipment on the floors in the "public" DMZ subnet IP range- Do you mean give them a different gateway than the other DMZ servers in the server room -which is  the DMZ interface on the ASA firewall?

if so what gateway address do i give the vid conf equipment? next hop means guessing here - the outside interface of ASA? - sorry confused with what you mean

PS - each floor is on its own VLAN so each vid conf device - different vlan - thanks
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813276
in the case where you have a dmz subnet (different to the asa outside subnet) on a third asa interface, you would not use what i have described. reviewing your initial comments, my suggestion might not be valid for your environment.

this is used where you might have a single subnet from isp with mask less than 30 bits (255.255.255.252, which only gives you gateway and host), eg it might be 1.2.3.0/25 or 255.255.255.128. so you might put 1.2.3.1 on the asa outside. assume the isp gateway is 1.2.3.126. then you can config 1.2.3.2 up to .125 on hosts connected to the vlan on the asa inside (maybe thats 192.168.50.0/24 - it does not matter for this example). on the host with 1.2.3.2/25, which is placed inside the asa (not on dmz interface) you give it default gateway 1.2.3.126 plus create the identity static or identity nat for 1.2.3.2, and everyone is happy. 1.2.3.2 can be accessed from the internet, based on the access-list config for that host. you need proxy arp enabled inside on the asa also, which is default.

with vlan per floor or a routed network behind the asa, this solution becomes problematic anyway.

it might be more academic than relevant to your network though, given your initial question. apologies if i have added confusion rather than clarity.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813283
all that said, the same concept can be used to put outside subnet public addressed hosts behind the dmz interface, in exactly the same manner. that might be of more use to you?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38813428
Though I agree that some might discuss the mixing of DMZ and internal VLANs on a switch, imho the same would go for creating a static NAT to a machine in the inside VLAN (making it publicly available). Even more, because when the machine gets compromised it's already in the inside network.........

That being said, I still stand for my provided solution (of course I do :) When set up right (no inter VLAN routing, etc.) there should be no worries about compromising security and it would be the simplest way to get things done in this particular setup.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38816855
in the real world, more often than not cost determines what is actually deployed, and it ends up as Ernie has suggested. my aim is to raise awareness of best practice, draw comparisons with and highlight differences between that and common practice.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38817888
It's always good if there's someone around to raise awareness, especially because I'm more of the pragmatic approach. Don't feel attacked in any way, it's always good to create a little awareness :)
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question