Link to home
Create AccountLog in
Avatar of mikey250
mikey250

asked on

asa 5505 asdm gui dns dhcp query

hi I am currently configured for a single ip class c subnet address via 1 x asa 5505 via asdm ver 7.1 gui

my pc's are connected via a 3 triage cisco switch topology like a router on a stick and all have internet access

question 1.  I wanted to know is there anything that I should configure in the dns & dhcp via my asdm screenshot attached with what I currently have setup so far  ?
asa-dns-dhcp-screenshot-asdm.pdf
Avatar of James H
James H
Flag of United States of America image

DHCP - no unless you are using/needing those services
DNS - I would configure for inside/DMZ using internal DNS servers
Avatar of mikey250
mikey250

ASKER

dns - I would configure for inside/dmz using internal dns servers

question 1.  when I 1st configured my asa out of the box clean I disabled the dmz part currently as I did not think I required this until I decided to maybe setup a vpn  ?
DMZ is intended for public facing devices (ex. web server) you want to separate from your internal network. This "zone" allows for public access while protecting your inside network without having to allow that traffic to pass internally. VPN is secure access to the inside network and that is not the intended use of a DMZ.
well currently I am only using the built-in asa dhcp and my static ip provided via my isp using my isp's dns to get internet access...so this is not needed in this case..!
question 1.  later I do wish to connect my internal windows 2008/dns/dhcp server installed all on 1 server, so would I have to build another 2nd server for dns to fit inside the dmz on another subnet  as ive not done it this way before ?
note:  currently my asa built-in dhcp is on the same class c classful subnet that my windows 2008 server is on but currently the windows 2008 server is not physically connected and currently switched off until I have my asa configured correct.
hi Spartan, am I right to think that way as per last 2 comments  ?
Your internal server will not impact anything with the firewall. I would recommend you move DHCP server to your 2008 server and off of the ASA. You don't need a DNS server on the DMZ, this is unnecessary. Your internal server will and can manage DNS just fine.

This is an example of a three zone firewall:

Internal: Inside interface E0/1: 192.168.1.1 on a 192.168.1.x/24

External: Outside interface E0/0: x.x.x.x/252 ISP public address

DMZ: DMZ interface E0/2 10.11.1.1 on a 10.11.1.x/24 subnet

This allows "true" separation of networks at the firewall level so you can put a less secure device (Web server) in the DMZ and still protect it without having to put it in your internal network and expose yourself to a security hole.

I hope this explains what you are looking for.
ok understood..!! but if I use another subnet for the dmz ie 10.11.1.1 on a 10.11.1.x/24 is it a physical machine I add or what  ?
Avatar of Ernie Beek
Like Spartan said, move DHCP of the ASA to your server (when you're ready for it). You will have a lot more functionality when you do.

With regards to the DMZ: what are you planning on running there?
hi ernie..thats not my understanding.

i didnt ask about use of dmz 'spartan' did. so that is why i asked questions further.

currently my win 2008 ad/dns/dhcp is on 1 server but not switched on & using only 1 class c classful subnet.

so if i put dhcp in dmz i assume i would need another physical server on separate subnet ..?
Ah, ok.

Well, depends on what you will be putting in the DMZ. Normally you use the DMZ to make machines/servers accessible from the internet (webservers and stuff). Because most of the time there are only servers in there (which should have a static IP), there would be no need for DHCP.
question 1.  currently I have nothing in the dmz and the only other feature I wish to configure eventually is for vpn access but I assume for this a 'dmz' is not required  ?

question 2.  im not sure if a user was using their pc/laptop via a vpn to access their email if I would therefore put an exchange server in the 'dmz'  ?

question 3.  I assume if a user did not have a vpn but used a web browser to access files on the company server or email, then it would make sense to have a 'dmz' with a specific file server or email server in place  ?
1. No, DMZ is not required nor recommended for VPN use. VPN allows for secure access to your internal network. A DMZ is a less secure area outside of your internal network.

2. You would NOT put an Exchange server in a DMZ, only a gateway device (Load balancer, SPAM filter, TMG/Forefront server for Exhange).

3. Exchange has  a web version that can be access by people you allow and does not require a DMZ. File shares are not something you expose to a DMZ, that should only be allowed to be accessed inside of your network.
question 1. so i assume then a dmz is for multiple external networks connected for eg in a star topology but need access to dhcp & dns for eg ?
im aware most networks wil have a local dhcp/dns server anyhow for fault tolerance redundancy reasons ?

i suppose a dmz is only used probably in instances these days via an isp company ?
ASKER CERTIFIED SOLUTION
Avatar of James H
James H
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
yes i undetstand...ok
Well, it looks like Spartan has covered this nicely :)
sound advice.