Solved

DMZ public IP for video conference device on each floor

Posted on 2013-01-22
14
663 Views
Last Modified: 2013-02-02
Hi we have a ASA firewall.

interfaces 3

internal
DMZ
outside

our server room has the DMZ interface connected to switch - 13 or so DMZ servers in the server room.

required is 4 public IP devices in meeting rooms on different floors to the server room - DMZ range public IP's

each floor has a switch - physical uplinks taken to connect to the server room
What then is the best way to get the public IP's into the meeting rooms - without physically running a cable from DMZ switch in server room to each meeting room, or bypassing firewall with a new cable from our CORE switch direct into DMZ switch

Can I VLAN the DMZ ASA interface - together with the  internal interface of ASA then vlan back to the meeting rooms- maybe sub-interfaces - any ideas

the vid conferencing equipment need public IP's - same range as current DMZ subnet - and also need to be in own VLAN - thanks
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38808987
To use VLANs on the ASA you need to create sub interfaces (so you're correct).
Something like:
interface GigabitEthernet0.10
vlan 10
0
 

Author Comment

by:philb19
ID: 38809042
Thats good thanks Erniebeek - I guess my confusion/problem lies with the ASA being a router in effect - and the dmz subnet (in server room) (dmz subnet gateway being the dmz interface ) -
So with the meeting rooms on different floors ( needing to be on this  DMZ subnet ) - then out to internet. ? - how do i achieve this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809074
Don't make the (common) mistake to see the ASA as a router, because it isn't and doesn't quite work that way ;)

You'll need to set up the VLANs on the switches (normal network, DMZ, etc) define what ports go in to what VLAN and set up trunks for the connections between the switches. That way you can extend the DMZ VLAN to the switch(es) on which the devices reside.
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:philb19
ID: 38809296
thanks again - so the DMZ interface and the Internal interface on the ASA would also need to be on this new VLAN and have sub-interfaces to reflect -  Im guessing
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 38809343
Been thinking (I do that sometimes ;)

If you only want to extend the DMZ and only have one DMZ (and not planning on having more), you don't need to use subinterfaces on the ASA. Just set up the new (DMZ) VLAN on the switches and make the port that the ASAs DMZ interface is connected to an access port in that VLAN (assuming you use Cisco switches).

Then you are able to access the DMZ on every switch when you configure a port (on a switch) in that VLAN.
0
 

Author Comment

by:philb19
ID: 38809555
Brilliant - I think I understand. - I have it stuck in my mind that all traffic on floors - goes through internal interface of ASA - but of course if devices are on the DMZ subnet with their gateway being the  ASA dmz interface, setting it up as you have outlined should work.

The DMZ switch is not Cisco its a Nortel but managed. Ive setup VLANS on them before - should be ok. thanks heaps
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38809635
My pleasure :)
If there's anything else, let me know.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38812909
while all the above is technically correct and will work, its not the best in terms of security. most security people would recommend not mixing the dmz and internal vlans on the same switches or trunks.

if you only have a single "inside" vlan/subnet, or if all the devices that require public addresses can be on the same vlan as the asa inside interface, you can put public addresses on the few devices that require them, point their default gateway to the real public side next hop address, and use identity nat (aka 1-to-1 nat or identity static) or static (for vers 8.2 and earlier). this will make these devices appear to be on the outside subnet, but protected by the asa. it looks strange to have devices in a subnet that does not exist at the physical place they are connected and pointing to a default gateway on a different vlan, but its the more proper way to do this in terms of security.

heres one example config:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#ByNat
more info:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1161298
0
 

Author Comment

by:philb19
ID: 38813023
Thanks I don't quite understand this part
 "point their default gateway to the real public side next hop address"

So you mean put the vid conference equipment on the floors in the "public" DMZ subnet IP range- Do you mean give them a different gateway than the other DMZ servers in the server room -which is  the DMZ interface on the ASA firewall?

if so what gateway address do i give the vid conf equipment? next hop means guessing here - the outside interface of ASA? - sorry confused with what you mean

PS - each floor is on its own VLAN so each vid conf device - different vlan - thanks
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813276
in the case where you have a dmz subnet (different to the asa outside subnet) on a third asa interface, you would not use what i have described. reviewing your initial comments, my suggestion might not be valid for your environment.

this is used where you might have a single subnet from isp with mask less than 30 bits (255.255.255.252, which only gives you gateway and host), eg it might be 1.2.3.0/25 or 255.255.255.128. so you might put 1.2.3.1 on the asa outside. assume the isp gateway is 1.2.3.126. then you can config 1.2.3.2 up to .125 on hosts connected to the vlan on the asa inside (maybe thats 192.168.50.0/24 - it does not matter for this example). on the host with 1.2.3.2/25, which is placed inside the asa (not on dmz interface) you give it default gateway 1.2.3.126 plus create the identity static or identity nat for 1.2.3.2, and everyone is happy. 1.2.3.2 can be accessed from the internet, based on the access-list config for that host. you need proxy arp enabled inside on the asa also, which is default.

with vlan per floor or a routed network behind the asa, this solution becomes problematic anyway.

it might be more academic than relevant to your network though, given your initial question. apologies if i have added confusion rather than clarity.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38813283
all that said, the same concept can be used to put outside subnet public addressed hosts behind the dmz interface, in exactly the same manner. that might be of more use to you?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38813428
Though I agree that some might discuss the mixing of DMZ and internal VLANs on a switch, imho the same would go for creating a static NAT to a machine in the inside VLAN (making it publicly available). Even more, because when the machine gets compromised it's already in the inside network.........

That being said, I still stand for my provided solution (of course I do :) When set up right (no inter VLAN routing, etc.) there should be no worries about compromising security and it would be the simplest way to get things done in this particular setup.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38816855
in the real world, more often than not cost determines what is actually deployed, and it ends up as Ernie has suggested. my aim is to raise awareness of best practice, draw comparisons with and highlight differences between that and common practice.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38817888
It's always good if there's someone around to raise awareness, especially because I'm more of the pragmatic approach. Don't feel attacked in any way, it's always good to create a little awareness :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question