DMZ Web Server and Mail Server?? 1

[cal060307]

Hi All

I am going to implement Mail server and web server at work. So I need to get as much information as I possible.

In regard to DMZ, Can I put them (mail and web) in the same DMZ VLAN or I have to put them seperately?

At the moment we have only 1 static IP address for internet access, do I need to have second static IP address for DMZ VLAN?

And we have ASA 5505 firewall in place.

What else should I look into? please help me

Thanks a lot in advance

Cheers

 

[Supergrrover]

With the 5505 you only get one DMZ with the base license. So they will have to be in the same DMZ. You won't need a second IP, you can just map the ports you want to the DMZ with the appropriate statics.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cal060307]

Hi Brent

Thanks for your help.

For the security purpose, hecause they are in the same VLAN, is it secure enough for us to put mail server that will be MS Exchange server. And we want internal user to access both Exchange and Web from inside as well as webmail.

Once again thanks a lot

 

[Supergrrover]

The DMZ is generally just one network with all the (hardened) external servers in them, so that should not be a problem. Just limit what can go in each interface on the ASA.

The 5505 base license only allows outisde access to the DMZ and not internal access. (Remember reading that somewhere.) To get the internal users to have access, you will have to upgrade to the Security plus license.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cal060307]

Hi Brent

Very much appreciated.
I'll let you guys how I go with that.

Cheers

 

[bull3000]

Regarding Supergrover's comment about one dmz in the 5505. I've been curious about this in the 5505 base model.

Does that mean that a there is one dmz network, which several statics can (w/ additional addresses) can be mapped to? Or, does it mean that there can be 1 internal ip address that all statics must map to as a target machine in the DMZ?

Is there a capability reference matrix for the various 55xx series systems?

Thx!

 

[brianinms]

With the base license you are limited to 3 vlans, which means ... outside,inside,dmz. In addition with the base license the DMZ can only talk to one of the 2 other interfaces.

 

[bull3000]

For example, the DMZ can talk w/ the outside (as in a web server), but the inside can't talk to the DMZ? I.e. the security level model is somehow crippled?

 

[brianinms]

The DMZ can talk to the outside, and the inside can talk to the dmz. However, the dmz cant initiate traffic to the inside, it can only reply to requests

 

[cal060307]

Hi all

Yes brianinms is right. As I am working on it, now I am able to do as follows

INTERNAL -> DMZ (using RDC)
INTERNET -> DMZ (WEB SERVER)
DMZ -X-> INTERNAL

but I can't ping dmz host from internal host atm. I should be able to, I am still struggling with that.

Thanks

Cheers