I recently purchased an ASA 5505 and need to configure a DMZ. Before getting into the specifics, I wanted to make sure I understood the basics. Here is what I have completed:
1) Created 3 VLANs - Outside, Inside, DMZ with security levels of 0, 100, and 50 respectively.
2) Assigned port(s) to each VLAN.
3) Configured IP addresses on all 3 interfaces (All in different networks)
4) Because I have the basic license I had to limit on interface from initiating communication; I chose the DMZ.
5) Created a NAT statement translating an external IP address to an address on the DMZ.
6) Created an access list allowing port 80 to the external IP address and applied the access list to the Outside Interface.
Before I get into the actual config, is this all that I should have to do? I am setting this up on a test network before going live. I have two workstations and an IIS server. I want to access the IIS Server on the DMZ from the outside.
Also, I can't ping the DMZ interface from the Outside interface. Is this by design? (I believe I read about this).
Any information will be greatly appreciated. Thanks!
Re: ASA 5505 DMZ/Web server configuration
11 years 7 months ago #21304
First of all i must admit i have not played with the ASA's yet (had one at work for nearly a year now but not had chance to even get it out of the box). Anyhow, point 1 sounds about right, i have seen config from the ASA and it does seem to work with VLAN's, not sure if you can map directly to the interface, i would imagine you probably can but someone else will have to confirm that one.
The steps look correct appart from 5). To get the traffic to flow from outside to DMZ, you will need to use a static translation. You would generally use a global/nat to allow traffic from DMZ and Inside to outside but then you would need the static to setup a static translation on port 80 from the outside to the server on in the dmz.
The ping question i beleive is called Hair-Pinning (hope i remember that correctly, someone else posted to term a few weeks ago). It is configurable in version 7 of the Pix code, so the ASA should support it.
The only way it differs is that the static translation is for allowing the traffic from a lower to high security level. So, outside to inside or outside to dmz. The static will create a static mapping so it can be used to allow traffic from outside to in (and it also allows it in the other direction).
The question is, are you going to be allowing other traffic from either in the DMZ or the inside network, to go out ? If you do then you need to have a global/nat translation setup to allow this (unless the ASA is in routing mode).