ASA 5505 DMZ/Web server configuration

As far as I know, traffic from a low security to a high security interface is blocked...

Let me know if anyone has any information.

Thanks.

Yes thats what i thought however in routed mode then i don't see any reason to setup a static translation which is normally how your would allow traffic from outside to inside.

I thought traffic wouldn't flow from low to high but i think this is only the case if;

1. Nat is used
2. no static is configured (or Outbound filters and conduits)

I am swaying towards saying that all you need to do is setup the access-list in order to allow the traffic to flow from high to low and vicaversa. Here is an extract from one of my books (Cisco PIX Firewalls by Richard A. Deal ISBN 0-07-222523-8 );

One major difference with PIX ACLs is that you can perform filtering on traffic entering a specific interface. This gives you a lot more flexibility in filtering since you are not limited to the flow of traffic between interfaces, as is the case with conduits and outbound filters. In otherwords, ACLs dont examine the security levels of interfaces involved in the traffic flow - just the packet contents and the traffic entering an interface that has the ACL applied to it. Since ACLs can be used for filtering of traffic between higher- and lower-level interfaces, and vice versa, they work in tandem with static commands, since static address translation is required for traffic from a lower-level interface to a higher one.

I am assuming, that since you are not NATting, then the flow will be allowed due to the part of the text "ACLs dont examine the security levels of interfaces".

Give it a bash and let us know if i am right.

Cheers

I am confused. I am using NAT; should I not use NAT? or am I misunderstanding you?

I am using NAT in order to hide the real IP address of the Web Server on the DMZ. The web server has a private IP address and I am using NAT to translate a public IP address on the Outside Interface.

I used the packet tracer utility in the ASDM and I trace packets to the web server from an outsite address and from the web server to an outside address and the utility states the packet is allowed; however, I am not able to load the web page. If I plug my computer into the DMZ switch, I am able to access the web server's page without problems.

Essentially this is what I did:

1) VLANS - Outside, Inside, DMZ
2) Assigned physical ports to each VLAN as needed
3) Assigned an public IP address to the Outside interface and private to the other interfaces. Set security levels.
4) Created a NAT statement translating a public IP address to the private web server's IP address.
5) Created a policy allowing inbound (port 80) traffic on the Outside interface to the public IP address. (This address is NATed to the private web server's address).
6) Configured a global route (I think) route Outside 0.0.0.0 0.0.0.0 [router's IP address]

Questions:
How are the interfaces (VLANs) treated by the ASA. If I allow traffic to the Outside address that is NATed, does this allow the traffic to pass to the DMZ? or do I need a separate rule to allow this traffic. For instance, if I had a public address of 198.111.X.X that is translated to 172.16.0.3 and I allow port 80 inbound to the 198.111.X.X address, does this allow it all the way to the 172.16.0.3 address?

Also, all my research for setting up DMZs shows using address pools. Is this necessary? I think I am using PAT, which requires only one address? Some of the documentation also has outbound NAT pools for nodes in the DMZ.

The more I read, the more confused I become. If anyone actually takes the time to read all this and respond - thanks!

I am confused. I am using NAT; should I not use NAT? or am I misunderstanding you?

One of your previous posts said "I am using routing mode on the ASA.". Therefore i thought you didn't require NAT since you were in routing mode.

I am using NAT in order to hide the real IP address of the Web Server on the DMZ. The web server has a private IP address and I am using NAT to translate a public IP address on the Outside Interface.

Thats fine.

Essentially this is what I did:

1) VLANS - Outside, Inside, DMZ
2) Assigned physical ports to each VLAN as needed
3) Assigned an public IP address to the Outside interface and private to the other interfaces. Set security levels.
4) Created a NAT statement translating a public IP address to the private web server's IP address.
5) Created a policy allowing inbound (port 80) traffic on the Outside interface to the public IP address. (This address is NATed to the private web server's address).
6) Configured a global route (I think) route Outside 0.0.0.0 0.0.0.0 [router's IP address]

4 - You would need to configure Global/NAT in order to configure this. The Global will only be configured with the one IP ADdress (or Outside interface) which will, like you said turn this into Pat. You will therefore need to configure the Static to specify the Outside Interface, translating to your webserver. You will need to do this on a port of port 80 since you will be unable to do a Static IP to IP mapping since you only have the one address on the outside.

This should really answer the questions here. If i get chance after i will put some examples together.

Let me know if you have further question (if i have not been clear enough)

Cheers

Wayne

Well... it appears that I am doing everything correctly. Maybe I will reconfigure all of this from start to finish and post my config. Would this help?

Yup, it should help to see whats missing if it isn't working after you have done that. Please remember to remove all passwords.