Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 DMZ Configuration

Status
Not open for further replies.
hsood2001

hsood2001

ISP
Feb 26, 2007
9
GB
Hi All,

I am new to using Cisco Firewalls and need some help setting up a Cisco ASA 5505 with Security Plus.

Our network has a /19 allocation and we have several mail, web, dns, and other servers all using static public IP’s per NIC and some servers have multiple IP’s per NIC.

I want to protect these servers from attacks, hackings etc from the outside WAN.

This is my network setup:

Our allocation IP: x.x.96.0 /19
255.255.224.0

I am using this so far: x.x.96.1 – x.x.103.254
255.255.248.0
This is what I want to assign my DMZ network

x.x.96.1 – GW
x.x.96.2 – DNS1
x.x.96.3 – Switch1
x.x.96.4 – Switch2
x.x.96.5 – Vigor Router for private LAN, this will also take care of my VPN’s

x.x.96.6 – FTP Server
x.x.96.7 – Web Server1
x.x.96.8 – Web Server2
x.x.96.9 – Cisco ASA 5505 – This is the IP I want to assign this firewall

x.x.97.1 – Email server
x.x.98.1- 100.254 – Email server 2
etc…

All I want to do is have 1 DMZ network and my Vigor router on x.x.96.5 will host my private LAN. I do not want to use private IP’s for my DMZ network as this will take a lot of time reconfiguring the network.

Someone in the Tek Tips Cisco forum told me that I need to allocate a subnet for my DMZ network which is x.x.96.0 255.255.248.0 then create a nonat ACL so that hosts in the DMZ will bypass NAT when going outbound. And then if you need any communication between inside and the DMZ then you'll need to use identity NAT to make it work?

But I am not sure how to set this up can anyone help.

So to summarise I want to:

1. Disable the VPN capabilities of the ASA 5505 Firewall
2. Setup a DMZ network for my servers on the public IP’s
Any help would be great.

Thanks.
 
Sort by date Sort by votes
1/ Create VLANs:

VLAN 2: WAN
VLAN 3: LAN
VLAN 5: DMZ

2/ Create VLAN interfaces:
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x

interface Vlan3
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x

interface Vlan5
nameif DMZ
security-level 5
ip address x.x.x.x x.x.x.x

3/ Configure Physical interfaces:

interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 5

4/ Routing:
route inside x.x.x.x x.x.x.x x.x.x.x 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

5/ Access lists: [Maybe try doing this through the web-based GUI tool, which I hear is quite clear and easy to use]
- create an access list allowing access from e0 to e5 as required.
- create an access list blocking access from e5 to e0 except as required.

6/ NAT: [Ditto]
access-list DMZ_nat0_outbound extended permit ip any any
nat (DMZ) 0 access-list DMZ_nat0_outbound
- configure NAT for any of your private addresses if they need access to "Outside".

7/ Patching:
- plug your ISP into e0/0.
- plug your internal LAN switch into e0/1.
- plug your DMZ switch into e0/5.




 
Upvote 0 Downvote
No, that example wouldn't help - he's using an ASA5505 - this device uses VLAN interfaces to easily create the DMZ he needs, as well as allowing firewalling and NAT for his non-DMZ internal private addresses.
As he has the Security Plus license, he can also route between Inside & DMZ and even have additional VLANs (up to 18? or something?).

I think his biggest problem is understanding NAT - I've provided the noNAT lines for his DMZ traffic, but he also needs some for the inside addresses.
This is what he needs to read:
 
Upvote 0 Downvote

Thanks for all your posts..

Yes unclerico that is what I am trying to achieve in your diagram.

Vince what you are saying I need to create 3 VLAN's, 1 for my wan, one for my LAN and the other for DMZ. Should this not be 2 VLAN's? One for my WAN and the other for DMZ?

What IP's do I need to setup for this:

A bit more info these servers are in a Data Centre and our G/W address is x.x.96.1 that we have been given.

WAN - x.x.96.1 this is the gateway address I want to assign x.x.96.9 255.255.255.255? to this ASA 5505

LAN - x.x.96.5 - Private NAT 192.168.2.0 I have a few lan2lan vpns behind this router 192.168.3.0, 6.0, 12.0 etc
I want all devices behind this private LAN to be able to get out on all ports without any restrictions. This Vigor 2950 needs to have full access inbound and outbound. I will use the firewall on the vigor 2950 to restrict unnecessary access coming into x.x.96.5.

DMZ - x.x.96.2 - x.x.103.254 Subnet 255.255.248.0
 
Upvote 0 Downvote
if the drawing i put together verifies how you want to physically implement your design then I too would recommend you install the 5505 in transparent mode just as Supergrrover has suggested above. take a look at the document in Super's response and reply back with any questions that you have. in 99.9% of installations you'd do like Vince says and configure three VLANs (or more depending on your requirements) on the device and use forms of NAT to enable inside to outside access and vice versa.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
The scenario hsood2001 is describing is exactly a transparent firewall. You set security on it but it doesn't provide NAT or VPN termination. This keeps all public IPs on the servers unchanged but still allows the traffic to be filtered. It is basically a bump in the wire doing security.

The 2nd router/firewall/VPN endpoint will do all those functions for the internal network - no need for VLANs externally.

Believe me, trying the VLAN scenario will be a huge headache. VinceWhirlwind, have you ever tried to implement the setup you are proposing with the same IP scheme on 2 interfaces/VLANs?



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I totally take your point - my mind was rebelling at the idea that he would keep the 2nd (and now redundant) router.
Why have 2 points of failure when 1 would do?

I read this
"All I want to do is have 1 DMZ network and my Vigor router on x.x.96.5 will host my private LAN. I do not want to use private IP's for my DMZ network as this will take a lot of time reconfiguring the network."
as meaning he thought he had only two options (keep old router/readdress DMZ network), when there is a far better one available (use ASA5505 for all functions).

I frequently visit sites where things have been tacked-on instead of replaced, and I'm always creating rackspace and reducing power consumption by simplifying complicated setups inherited by people who can't fathom them.
 
Upvote 0 Downvote
Thanks for everyones help on this i will take a look at the transparent firewall guide and try and configure the firewall.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
584
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
446
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
632
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top