mikey250
asked on
asa 5505 asdm gui dns dhcp query
hi I am currently configured for a single ip class c subnet address via 1 x asa 5505 via asdm ver 7.1 gui
my pc's are connected via a 3 triage cisco switch topology like a router on a stick and all have internet access
question 1. I wanted to know is there anything that I should configure in the dns & dhcp via my asdm screenshot attached with what I currently have setup so far ?
asa-dns-dhcp-screenshot-asdm.pdf
my pc's are connected via a 3 triage cisco switch topology like a router on a stick and all have internet access
question 1. I wanted to know is there anything that I should configure in the dns & dhcp via my asdm screenshot attached with what I currently have setup so far ?
asa-dns-dhcp-screenshot-asdm.pdf
ASKER
dns - I would configure for inside/dmz using internal dns servers
question 1. when I 1st configured my asa out of the box clean I disabled the dmz part currently as I did not think I required this until I decided to maybe setup a vpn ?
question 1. when I 1st configured my asa out of the box clean I disabled the dmz part currently as I did not think I required this until I decided to maybe setup a vpn ?
DMZ is intended for public facing devices (ex. web server) you want to separate from your internal network. This "zone" allows for public access while protecting your inside network without having to allow that traffic to pass internally. VPN is secure access to the inside network and that is not the intended use of a DMZ.
ASKER
well currently I am only using the built-in asa dhcp and my static ip provided via my isp using my isp's dns to get internet access...so this is not needed in this case..!
ASKER
question 1. later I do wish to connect my internal windows 2008/dns/dhcp server installed all on 1 server, so would I have to build another 2nd server for dns to fit inside the dmz on another subnet as ive not done it this way before ?
ASKER
note: currently my asa built-in dhcp is on the same class c classful subnet that my windows 2008 server is on but currently the windows 2008 server is not physically connected and currently switched off until I have my asa configured correct.
ASKER
hi Spartan, am I right to think that way as per last 2 comments ?
Your internal server will not impact anything with the firewall. I would recommend you move DHCP server to your 2008 server and off of the ASA. You don't need a DNS server on the DMZ, this is unnecessary. Your internal server will and can manage DNS just fine.
This is an example of a three zone firewall:
Internal: Inside interface E0/1: 192.168.1.1 on a 192.168.1.x/24
External: Outside interface E0/0: x.x.x.x/252 ISP public address
DMZ: DMZ interface E0/2 10.11.1.1 on a 10.11.1.x/24 subnet
This allows "true" separation of networks at the firewall level so you can put a less secure device (Web server) in the DMZ and still protect it without having to put it in your internal network and expose yourself to a security hole.
I hope this explains what you are looking for.
This is an example of a three zone firewall:
Internal: Inside interface E0/1: 192.168.1.1 on a 192.168.1.x/24
External: Outside interface E0/0: x.x.x.x/252 ISP public address
DMZ: DMZ interface E0/2 10.11.1.1 on a 10.11.1.x/24 subnet
This allows "true" separation of networks at the firewall level so you can put a less secure device (Web server) in the DMZ and still protect it without having to put it in your internal network and expose yourself to a security hole.
I hope this explains what you are looking for.
ASKER
ok understood..!! but if I use another subnet for the dmz ie 10.11.1.1 on a 10.11.1.x/24 is it a physical machine I add or what ?
Like Spartan said, move DHCP of the ASA to your server (when you're ready for it). You will have a lot more functionality when you do.
With regards to the DMZ: what are you planning on running there?
With regards to the DMZ: what are you planning on running there?
ASKER
hi ernie..thats not my understanding.
i didnt ask about use of dmz 'spartan' did. so that is why i asked questions further.
currently my win 2008 ad/dns/dhcp is on 1 server but not switched on & using only 1 class c classful subnet.
so if i put dhcp in dmz i assume i would need another physical server on separate subnet ..?
i didnt ask about use of dmz 'spartan' did. so that is why i asked questions further.
currently my win 2008 ad/dns/dhcp is on 1 server but not switched on & using only 1 class c classful subnet.
so if i put dhcp in dmz i assume i would need another physical server on separate subnet ..?
Ah, ok.
Well, depends on what you will be putting in the DMZ. Normally you use the DMZ to make machines/servers accessible from the internet (webservers and stuff). Because most of the time there are only servers in there (which should have a static IP), there would be no need for DHCP.
Well, depends on what you will be putting in the DMZ. Normally you use the DMZ to make machines/servers accessible from the internet (webservers and stuff). Because most of the time there are only servers in there (which should have a static IP), there would be no need for DHCP.
ASKER
question 1. currently I have nothing in the dmz and the only other feature I wish to configure eventually is for vpn access but I assume for this a 'dmz' is not required ?
question 2. im not sure if a user was using their pc/laptop via a vpn to access their email if I would therefore put an exchange server in the 'dmz' ?
question 3. I assume if a user did not have a vpn but used a web browser to access files on the company server or email, then it would make sense to have a 'dmz' with a specific file server or email server in place ?
question 2. im not sure if a user was using their pc/laptop via a vpn to access their email if I would therefore put an exchange server in the 'dmz' ?
question 3. I assume if a user did not have a vpn but used a web browser to access files on the company server or email, then it would make sense to have a 'dmz' with a specific file server or email server in place ?
1. No, DMZ is not required nor recommended for VPN use. VPN allows for secure access to your internal network. A DMZ is a less secure area outside of your internal network.
2. You would NOT put an Exchange server in a DMZ, only a gateway device (Load balancer, SPAM filter, TMG/Forefront server for Exhange).
3. Exchange has a web version that can be access by people you allow and does not require a DMZ. File shares are not something you expose to a DMZ, that should only be allowed to be accessed inside of your network.
2. You would NOT put an Exchange server in a DMZ, only a gateway device (Load balancer, SPAM filter, TMG/Forefront server for Exhange).
3. Exchange has a web version that can be access by people you allow and does not require a DMZ. File shares are not something you expose to a DMZ, that should only be allowed to be accessed inside of your network.
ASKER
question 1. so i assume then a dmz is for multiple external networks connected for eg in a star topology but need access to dhcp & dns for eg ?
ASKER
im aware most networks wil have a local dhcp/dns server anyhow for fault tolerance redundancy reasons ?
i suppose a dmz is only used probably in instances these days via an isp company ?
i suppose a dmz is only used probably in instances these days via an isp company ?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
yes i undetstand...ok
Well, it looks like Spartan has covered this nicely :)
ASKER
sound advice.
DNS - I would configure for inside/DMZ using internal DNS servers