Posted: Mon Apr 23, 2007 10:46 pm Post subject: ASA 5505 DMZ/Web server configuration
I recently purchased an ASA 5505 and need to configure a DMZ. Before getting into the specifics, I wanted to make sure I understood the basics. Here is what I have completed:
1) Created 3 VLANs - Outside, Inside, DMZ with security levels of 0, 100, and 50 respectively.
2) Assigned port(s) to each VLAN.
3) Configured IP addresses on all 3 interfaces (All in different networks)
4) Because I have the basic license I had to limit on interface from initiating communication; I chose the DMZ.
5) Created a NAT statement translating an external IP address to an address on the DMZ.
6) Created an access list allowing port 80 to the external IP address and applied the access list to the Outside Interface.
Before I get into the actual config, is this all that I should have to do? I am setting this up on a test network before going live. I have two workstations and an IIS server. I want to access the IIS Server on the DMZ from the outside.
Also, I can't ping the DMZ interface from the Outside interface. Is this by design? (I believe I read about this).
Any information will be greatly appreciated. Thanks!
Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Mon Apr 23, 2007 11:08 pm Post subject:
First of all i must admit i have not played with the ASA's yet (had one at work for nearly a year now but not had chance to even get it out of the box). Anyhow, point 1 sounds about right, i have seen config from the ASA and it does seem to work with VLAN's, not sure if you can map directly to the interface, i would imagine you probably can but someone else will have to confirm that one.
The steps look correct appart from 5). To get the traffic to flow from outside to DMZ, you will need to use a static translation. You would generally use a global/nat to allow traffic from DMZ and Inside to outside but then you would need the static to setup a static translation on port 80 from the outside to the server on in the dmz.
The ping question i beleive is called Hair-Pinning (hope i remember that correctly, someone else posted to term a few weeks ago). It is configurable in version 7 of the Pix code, so the ASA should support it.
Cheers
Cheers
Wayne _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
How does one go about creating the global statement? I'm not sure how my way differs.
I setup an external ip addess of 198.111.167.20, for instance, and mapped that to a DMZ address 172.16.0.60 port 80. The 172.16.0.60 address belongs to the web server.
I thought this would allow a person on the outside interface access to the web server. Is this incorrect?
Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Mon Apr 23, 2007 11:32 pm Post subject:
The only way it differs is that the static translation is for allowing the traffic from a lower to high security level. So, outside to inside or outside to dmz. The static will create a static mapping so it can be used to allow traffic from outside to in (and it also allows it in the other direction).
The question is, are you going to be allowing other traffic from either in the DMZ or the inside network, to go out ? If you do then you need to have a global/nat translation setup to allow this (unless the ASA is in routing mode).
If you want an example then let me know.
cheers _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Tue Apr 24, 2007 7:16 pm Post subject:
Hmm, i will have a think about this one. If using routing mode then you will not need to setup translations however i am not sure how traffic from a low to high security level is handled.
Suppose you could just setup the access lists and see if it allows the traffic to flow.
Someone else may know this one off the top of their heads but i have never done it.
May have to open my ASA box and do a bit of testing.
If no-one replies i will get my ASA out and do a bit of testing.
Cheers _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Tue Apr 24, 2007 10:14 pm Post subject:
Yes thats what i thought however in routed mode then i don't see any reason to setup a static translation which is normally how your would allow traffic from outside to inside.
I thought traffic wouldn't flow from low to high but i think this is only the case if;
1. Nat is used
2. no static is configured (or Outbound filters and conduits)
I am swaying towards saying that all you need to do is setup the access-list in order to allow the traffic to flow from high to low and vicaversa. Here is an extract from one of my books (Cisco PIX Firewalls by Richard A. Deal ISBN 0-07-222523-8 );
Quote:
One major difference with PIX ACLs is that you can perform filtering on traffic entering a specific interface. This gives you a lot more flexibility in filtering since you are not limited to the flow of traffic between interfaces, as is the case with conduits and outbound filters. In otherwords, ACLs dont examine the security levels of interfaces involved in the traffic flow - just the packet contents and the traffic entering an interface that has the ACL applied to it. Since ACLs can be used for filtering of traffic between higher- and lower-level interfaces, and vice versa, they work in tandem with static commands, since static address translation is required for traffic from a lower-level interface to a higher one.
I am assuming, that since you are not NATting, then the flow will be allowed due to the part of the text "ACLs dont examine the security levels of interfaces".
Give it a bash and let us know if i am right.
Cheers _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Posted: Thu Apr 26, 2007 3:38 pm Post subject: Confused
I am confused. I am using NAT; should I not use NAT? or am I misunderstanding you?
I am using NAT in order to hide the real IP address of the Web Server on the DMZ. The web server has a private IP address and I am using NAT to translate a public IP address on the Outside Interface.
I used the packet tracer utility in the ASDM and I trace packets to the web server from an outsite address and from the web server to an outside address and the utility states the packet is allowed; however, I am not able to load the web page. If I plug my computer into the DMZ switch, I am able to access the web server's page without problems.
Essentially this is what I did:
1) VLANS - Outside, Inside, DMZ
2) Assigned physical ports to each VLAN as needed
3) Assigned an public IP address to the Outside interface and private to the other interfaces. Set security levels.
4) Created a NAT statement translating a public IP address to the private web server's IP address.
5) Created a policy allowing inbound (port 80) traffic on the Outside interface to the public IP address. (This address is NATed to the private web server's address).
6) Configured a global route (I think) route Outside 0.0.0.0 0.0.0.0 [router's IP address]
Questions:
How are the interfaces (VLANs) treated by the ASA. If I allow traffic to the Outside address that is NATed, does this allow the traffic to pass to the DMZ? or do I need a separate rule to allow this traffic. For instance, if I had a public address of 198.111.X.X that is translated to 172.16.0.3 and I allow port 80 inbound to the 198.111.X.X address, does this allow it all the way to the 172.16.0.3 address?
Also, all my research for setting up DMZs shows using address pools. Is this necessary? I think I am using PAT, which requires only one address? Some of the documentation also has outbound NAT pools for nodes in the DMZ.
The more I read, the more confused I become. If anyone actually takes the time to read all this and respond - thanks!
I am confused. I am using NAT; should I not use NAT? or am I misunderstanding you?
One of your previous posts said "I am using routing mode on the ASA.". Therefore i thought you didn't require NAT since you were in routing mode.
Quote:
I am using NAT in order to hide the real IP address of the Web Server on the DMZ. The web server has a private IP address and I am using NAT to translate a public IP address on the Outside Interface.
Thats fine.
Quote:
Essentially this is what I did:
1) VLANS - Outside, Inside, DMZ
2) Assigned physical ports to each VLAN as needed
3) Assigned an public IP address to the Outside interface and private to the other interfaces. Set security levels.
4) Created a NAT statement translating a public IP address to the private web server's IP address.
5) Created a policy allowing inbound (port 80) traffic on the Outside interface to the public IP address. (This address is NATed to the private web server's address).
6) Configured a global route (I think) route Outside 0.0.0.0 0.0.0.0 [router's IP address]
4 - You would need to configure Global/NAT in order to configure this. The Global will only be configured with the one IP ADdress (or Outside interface) which will, like you said turn this into Pat. You will therefore need to configure the Static to specify the Outside Interface, translating to your webserver. You will need to do this on a port of port 80 since you will be unable to do a Static IP to IP mapping since you only have the one address on the outside.
This should really answer the questions here. If i get chance after i will put some examples together.
Let me know if you have further question (if i have not been clear enough)
Cheers
Wayne _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Copyright of all documents and images belonging to this site by Firewall.cx. Information contained on this site is copyrighted material. It is illegal to copy or redistribute this information in any way without the written consent of Firewall.cx
Firewall.cx disclaims any responsibility for software and information obtained through this site or its links.
