Solved

DMZ public IP for video conference device on each floor

Posted on 2013-01-22
14
631 Views
Last Modified: 2013-02-02
Hi we have a ASA firewall.

interfaces 3

internal
DMZ
outside

our server room has the DMZ interface connected to switch - 13 or so DMZ servers in the server room.

required is 4 public IP devices in meeting rooms on different floors to the server room - DMZ range public IP's

each floor has a switch - physical uplinks taken to connect to the server room
What then is the best way to get the public IP's into the meeting rooms - without physically running a cable from DMZ switch in server room to each meeting room, or bypassing firewall with a new cable from our CORE switch direct into DMZ switch

Can I VLAN the DMZ ASA interface - together with the  internal interface of ASA then vlan back to the meeting rooms- maybe sub-interfaces - any ideas

the vid conferencing equipment need public IP's - same range as current DMZ subnet - and also need to be in own VLAN - thanks
0
Comment
Question by:philb19
  • 6
  • 4
  • 4
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38808987
To use VLANs on the ASA you need to create sub interfaces (so you're correct).
Something like:
interface GigabitEthernet0.10
vlan 10
0
 

Author Comment

by:philb19
ID: 38809042
Thats good thanks Erniebeek - I guess my confusion/problem lies with the ASA being a router in effect - and the dmz subnet (in server room) (dmz subnet gateway being the dmz interface ) -
So with the meeting rooms on different floors ( needing to be on this  DMZ subnet ) - then out to internet. ? - how do i achieve this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809074
Don't make the (common) mistake to see the ASA as a router, because it isn't and doesn't quite work that way ;)

You'll need to set up the VLANs on the switches (normal network, DMZ, etc) define what ports go in to what VLAN and set up trunks for the connections between the switches. That way you can extend the DMZ VLAN to the switch(es) on which the devices reside.
0
 

Author Comment

by:philb19
ID: 38809296
thanks again - so the DMZ interface and the Internal interface on the ASA would also need to be on this new VLAN and have sub-interfaces to reflect -  Im guessing
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 38809343
Been thinking (I do that sometimes ;)

If you only want to extend the DMZ and only have one DMZ (and not planning on having more), you don't need to use subinterfaces on the ASA. Just set up the new (DMZ) VLAN on the switches and make the port that the ASAs DMZ interface is connected to an access port in that VLAN (assuming you use Cisco switches).

Then you are able to access the DMZ on every switch when you configure a port (on a switch) in that VLAN.
0
 

Author Comment

by:philb19
ID: 38809555
Brilliant - I think I understand. - I have it stuck in my mind that all traffic on floors - goes through internal interface of ASA - but of course if devices are on the DMZ subnet with their gateway being the  ASA dmz interface, setting it up as you have outlined should work.

The DMZ switch is not Cisco its a Nortel but managed. Ive setup VLANS on them before - should be ok. thanks heaps
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809635
My pleasure :)
If there's anything else, let me know.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 8

Expert Comment

by:pgolding00
ID: 38812909
while all the above is technically correct and will work, its not the best in terms of security. most security people would recommend not mixing the dmz and internal vlans on the same switches or trunks.

if you only have a single "inside" vlan/subnet, or if all the devices that require public addresses can be on the same vlan as the asa inside interface, you can put public addresses on the few devices that require them, point their default gateway to the real public side next hop address, and use identity nat (aka 1-to-1 nat or identity static) or static (for vers 8.2 and earlier). this will make these devices appear to be on the outside subnet, but protected by the asa. it looks strange to have devices in a subnet that does not exist at the physical place they are connected and pointing to a default gateway on a different vlan, but its the more proper way to do this in terms of security.

heres one example config:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#ByNat
more info:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1161298
0
 

Author Comment

by:philb19
ID: 38813023
Thanks I don't quite understand this part
 "point their default gateway to the real public side next hop address"

So you mean put the vid conference equipment on the floors in the "public" DMZ subnet IP range- Do you mean give them a different gateway than the other DMZ servers in the server room -which is  the DMZ interface on the ASA firewall?

if so what gateway address do i give the vid conf equipment? next hop means guessing here - the outside interface of ASA? - sorry confused with what you mean

PS - each floor is on its own VLAN so each vid conf device - different vlan - thanks
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813276
in the case where you have a dmz subnet (different to the asa outside subnet) on a third asa interface, you would not use what i have described. reviewing your initial comments, my suggestion might not be valid for your environment.

this is used where you might have a single subnet from isp with mask less than 30 bits (255.255.255.252, which only gives you gateway and host), eg it might be 1.2.3.0/25 or 255.255.255.128. so you might put 1.2.3.1 on the asa outside. assume the isp gateway is 1.2.3.126. then you can config 1.2.3.2 up to .125 on hosts connected to the vlan on the asa inside (maybe thats 192.168.50.0/24 - it does not matter for this example). on the host with 1.2.3.2/25, which is placed inside the asa (not on dmz interface) you give it default gateway 1.2.3.126 plus create the identity static or identity nat for 1.2.3.2, and everyone is happy. 1.2.3.2 can be accessed from the internet, based on the access-list config for that host. you need proxy arp enabled inside on the asa also, which is default.

with vlan per floor or a routed network behind the asa, this solution becomes problematic anyway.

it might be more academic than relevant to your network though, given your initial question. apologies if i have added confusion rather than clarity.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813283
all that said, the same concept can be used to put outside subnet public addressed hosts behind the dmz interface, in exactly the same manner. that might be of more use to you?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38813428
Though I agree that some might discuss the mixing of DMZ and internal VLANs on a switch, imho the same would go for creating a static NAT to a machine in the inside VLAN (making it publicly available). Even more, because when the machine gets compromised it's already in the inside network.........

That being said, I still stand for my provided solution (of course I do :) When set up right (no inter VLAN routing, etc.) there should be no worries about compromising security and it would be the simplest way to get things done in this particular setup.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38816855
in the real world, more often than not cost determines what is actually deployed, and it ends up as Ernie has suggested. my aim is to raise awareness of best practice, draw comparisons with and highlight differences between that and common practice.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38817888
It's always good if there's someone around to raise awareness, especially because I'm more of the pragmatic approach. Don't feel attacked in any way, it's always good to create a little awareness :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now