Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5505 Security Plus DMZ

Status
Not open for further replies.
hsood2001

hsood2001

ISP
Feb 26, 2007
9
GB
Hi All,

I have just brought a Cisco ASA 5505 UL with Security Plus and need some advice on how to se up the firewall.

We have a /19 allocation and at the moment have about 25 servers or so which all have fixed/multiple public IPs assigned to them from our /19 allocation. I want to be able to protect my servers from attacks, hacking etc and want to secure up our network using this 5505 firewall. My question is how best to set up the firewall? I have been doing some reading and understand that the 5505 supports full DMZ how would i set this up on the firewall. Is it possible to use DMZ with public IP's?

My network setup is as follows:

Gateway 1.1.1.1
ASA 5505 1.1.1.2
Managed S/W 1.1.1.3

DNS Server 1.1.1.4
Web Server1 1.1.1.5
Web Server2 1.1.1.6
Email 1.1.1.7
etc
Then Private Network on 1.1.1.8 - Private IP 192.168.2/24

Any pointer would be great.

Thanks for your help


 
Sort by date Sort by votes
So if I'm understanding what you are saying, your ISP allocated you a /19 block of IPs and you want to use some of those IPs for hosts in your DMZ (i.e. the physical host NIC will have a public IP address assigned to it)?? Is this correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I would recommend setting up your actual NIC's with a private DMZ IP network, then have the FW direct the outside IP back to the DMZ IP, that way you can control what ports are opened up. Then you can control what ports are going between that specific box and inside LAN (if need be)


------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
Upvote 0 Downvote
Is there not a way to set up the DMZ using public addresses on the NIC's?

The trouble is my mail servers have around 300 domains each with a Public IP's assigned so by using private IPs there will be a lot more work involved to get this configured.
 
Upvote 0 Downvote
sure you could. you would need to subnet that /19 using VLSM so that you can assign a unique IP range to the DMZ interface. Then you would create a nonat ACL so that hosts in the DMZ will bypass NAT when going outbound. If you need any communication between inside and the dmz then you'll need to use identity NAT to make it work.

if you need further instruction on how to make it work post this in the ASA forum including a scrubbed config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
355
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
347
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
324
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
329
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
430
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top