Skip to main content

ASA 5505 DMZ/Web server configuration

More
17 years 7 months ago #21301 by skepticals
I recently purchased an ASA 5505 and need to configure a DMZ. Before getting into the specifics, I wanted to make sure I understood the basics. Here is what I have completed:

1) Created 3 VLANs - Outside, Inside, DMZ with security levels of 0, 100, and 50 respectively.

2) Assigned port(s) to each VLAN.

3) Configured IP addresses on all 3 interfaces (All in different networks)

4) Because I have the basic license I had to limit on interface from initiating communication; I chose the DMZ.

5) Created a NAT statement translating an external IP address to an address on the DMZ.

6) Created an access list allowing port 80 to the external IP address and applied the access list to the Outside Interface.

Before I get into the actual config, is this all that I should have to do? I am setting this up on a test network before going live. I have two workstations and an IIS server. I want to access the IIS Server on the DMZ from the outside.

Also, I can't ping the DMZ interface from the Outside interface. Is this by design? (I believe I read about this).

Any information will be greatly appreciated. Thanks!
More
17 years 7 months ago #21304 by Smurf
First of all i must admit i have not played with the ASA's yet (had one at work for nearly a year now but not had chance to even get it out of the box). Anyhow, point 1 sounds about right, i have seen config from the ASA and it does seem to work with VLAN's, not sure if you can map directly to the interface, i would imagine you probably can but someone else will have to confirm that one.

The steps look correct appart from 5). To get the traffic to flow from outside to DMZ, you will need to use a static translation. You would generally use a global/nat to allow traffic from DMZ and Inside to outside but then you would need the static to setup a static translation on port 80 from the outside to the server on in the dmz.

The ping question i beleive is called Hair-Pinning (hope i remember that correctly, someone else posted to term a few weeks ago). It is configurable in version 7 of the Pix code, so the ASA should support it.

Cheers

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 7 months ago #21305 by skepticals
Replied by skepticals on topic Step 5
How does one go about creating the global statement? I'm not sure how my way differs.

I setup an external ip addess of 198.111.167.20, for instance, and mapped that to a DMZ address 172.16.0.60 port 80. The 172.16.0.60 address belongs to the web server.

I thought this would allow a person on the outside interface access to the web server. Is this incorrect?
More
17 years 7 months ago #21306 by Smurf
The only way it differs is that the static translation is for allowing the traffic from a lower to high security level. So, outside to inside or outside to dmz. The static will create a static mapping so it can be used to allow traffic from outside to in (and it also allows it in the other direction).

The question is, are you going to be allowing other traffic from either in the DMZ or the inside network, to go out ? If you do then you need to have a global/nat translation setup to allow this (unless the ASA is in routing mode).

If you want an example then let me know.

cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 7 months ago #21336 by skepticals
Replied by skepticals on topic Example
Yes, I think an example would help.

I am using routing mode on the ASA.

I want to have Outside, Inside, and DMZ interfaces with the ability to access a web server on the DMZ from the Outside and Inside interfaces.

Thanks!
More
17 years 7 months ago #21337 by Smurf
Hmm, i will have a think about this one. If using routing mode then you will not need to setup translations however i am not sure how traffic from a low to high security level is handled.

Suppose you could just setup the access lists and see if it allows the traffic to flow.

Someone else may know this one off the top of their heads but i have never done it.

May have to open my ASA box and do a bit of testing.

If no-one replies i will get my ASA out and do a bit of testing.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.131 seconds