Guest

Support

Scenario: DMZ Configuration

Hierarchical Navigation

  • Viewing Options

  • PDF (641.0 KB)
  • Feedback
Scenario: DMZ Configuration

Table Of Contents

Scenario: DMZ Configuration

Example DMZ Network Topology

Configuring the Security Appliance for a DMZ Deployment

Configuration Requirements

Starting ASDM

Creating IP Pools for Network Address Translation

Configuring NAT for Inside Clients to Communicate with the DMZ Web Server

Configuring NAT for Inside Clients to Communicate with Devices on the Internet

Configuring an External Identity for the DMZ Web Server

Providing Public HTTP Access to the DMZ Web Server

What to Do Next


Scenario: DMZ Configuration


This chapter describes a configuration scenario in which the security appliance is used to protect network resources located in a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

This chapter includes the following sections:

Example DMZ Network Topology

Configuring the Security Appliance for a DMZ Deployment

What to Do Next

Example DMZ Network Topology

The example network topology shown in Figure 2-1 is typical of most DMZ implementations of the security appliance.

Figure 2-1 Network Layout for DMZ Configuration Scenario

This example scenario has the following characteristics:

The web server is on the DMZ interface of the security appliance.

HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet.

Clients on the Internet are permitted HTTP access to the DMZ web server; all other traffic is denied.

The network has two routable IP addresses that are publicly available: one for the outside interface of the security appliance (209.165.200.225), and one for the public IP address of the DMZ web server (209.165.200.226).

Figure 2-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet.

Figure 2-2 Outgoing HTTP Traffic Flow from the Private Network

In Figure 2-2, the security appliance permits HTTP traffic originating from inside clients and destined for both the DMZ web server and devices on the Internet. To permit the traffic through, the security appliance configuration includes the following:

Access control rules permitting traffic destined for the DMZ web server and for devices on the Internet.

Address translation rules translating private IP addresses so that the private addresses are not visible to the Internet.

For traffic destined for the DMZ web server, private IP addresses are translated to an address from an IP pool.

For traffic destined for the Internet, private IP addresses are translated to the public IP address of the security appliance. Outgoing traffic appears to come from this address.

Figure 2-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server.

Figure 2-3 Incoming HTTP Traffic Flow From the Internet

To permit incoming traffic to access the DMZ web server, the security appliance configuration includes the following:

An address translation rule translating the public IP address of the DMZ web server to the private IP address of the DMZ web server.

An access control rule permitting incoming HTTP traffic that is destined for the DMZ web server.

The procedures for creating this configuration are detailed in the remainder of this chapter.

Configuring the Security Appliance for a DMZ Deployment

This section describes how to use ASDM to configure the security appliance for the configuration scenario shown in Figure 2-1. The procedure uses sample parameters based on the scenario.

This configuration procedure assumes that the security appliance already has interfaces configured for the inside interface, the DMZ interface, and the outside interface. Set up interfaces of the security appliance by using the Startup Wizard in ASDM. Be sure that the DMZ interface security level is set between 0 and 100. (A common choice is 50.)

For more information about using the Startup Wizard, see Setting Up the Security Appliance.

The section includes the following topics:

Configuration Requirements

Starting ASDM

Creating IP Pools for Network Address Translation

Configuring NAT for Inside Clients to Communicate with the DMZ Web Server

Configuring an External Identity for the DMZ Web Server

Providing Public HTTP Access to the DMZ Web Server

The following sections provide detailed instructions for how to perform each step.

Configuration Requirements

Configuring the security appliance for this DMZ deployment requires the following configuration tasks:

For the internal clients to have HTTP access to the DMZ web server, you must create a pool of IP addresses for address translation and identify which clients should use addresses from the pool. To accomplish this task, you should configure the following:

A pool of IP addresses for the DMZ interface. In this scenario, the IP pool is 10.30.30.50-10.30.30.60.

A dynamic NAT translation rule for the inside interface that specifies which client IP addresses can be assigned an address from the IP pool.

For the internal clients to have access to HTTP and HTTPS resources on the Internet, you must create a rule that translates the real IP addresses of internal clients to an external address that can be used as the source address.

To accomplish this task, you should configure a PAT translation rule (port address translation rule, sometimes called an interface NAT) for the internal interface that translates internal IP addresses to the external IP address of the security appliance.

In this scenario, the internal address to be translated is that of a subnet of the private network (10.10.10.0). Addresses from this subnet are translated to the public address of the security appliance (209.165.200.225).

For external clients to have HTTP access to the DMZ web server, you must configure an external identity for the DMZ web server and an access rule that permits HTTP requests coming from clients on the Internet. To accomplish this task, you should configure the following:

Create a static NAT rule. This rule translates the real IP address of the DMZ web server to a single public IP address. In this scenario, the public address of the web server is 209.165.200.226.

Create a security access rule permitting traffic from the Internet if the traffic is an HTTP request destined for the public IP address of the DMZ web server.

Starting ASDM

To run ASDM in a web browser, enter the factory-default IP address in the address field: https://192.168.1.1/admin/.


Note Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.


The Main ASDM window appears.

Creating IP Pools for Network Address Translation

The security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to prevent internal IP addresses from being exposed externally. This procedure describes how to create a pool of IP addresses that the DMZ interface and outside interface can use for address translation.

A single IP pool can contain both NAT and PAT entries, and it can contain entries for more than one interface.

To configure a pool of IP addresses that can be used for network address translation, perform the following steps:


Step 1 In the ASDM window, click the Configuration tool.

a. In the Features pane, click NAT.

The NAT Configuration screen appears.

b. In the right pane, click the Global Pools tab.

c. Click Add to create a new global pool for the DMZ interface.

The Add Global Address Pool dialog box appears.


Note For most configurations, IP pools are added to the less secure, or public, interfaces.


d. From the Interfaces drop-down list, choose DMZ.

e. To create a new IP pool, enter a unique Pool ID. In this scenario, the Pool ID is 200.

f. In the IP Addresses to Add area, specify the range of IP addresses to be used by the DMZ interface:

Click the Range radio button.

Enter the Starting IP address and Ending IP address of the range. In this scenario, the range of IP addresses is 10.30.30.50-10.30.30.60.

(Optional) Enter the Netmask for the range of IP addresses.

g. Click Add to add this range of IP addresses to the Address Pool.

The Add Global Pool dialog box configuration should be similar to the following:

h. Click OK to return to the Configuration > NAT window.

Step 2 Add addresses to the IP pool to be used by the outside interface. These addresses are used to translate private IP addresses so that inside clients can communicate securely with clients on the Internet.

In this scenario, there are limited public IP addresses available. Use Port Address Translation (PAT) so that many internal IP addresses can map to the same public IP address, as follows:

a. In the right pane of the NAT Configuration screen, click the Global Pools tab.

b. Under the Global Pools tab, click Add.

The Add Global Pool Item dialog box appears.

c. From the Interface drop-down list, choose Outside.

d. Specify a Pool ID for the Outside interface.

You can add these addresses to the same IP pool that contains the address pool used by the DMZ interface (in this scenario, the Pool ID is 200).

e. Click the Port Address Translation (PAT) using the IP address of the interface radio button.

If you select the option Port Address Translation using the IP address of the interface, all traffic initiated from the inside network exits the security appliance using the IP address of the outside interface. To the devices on the Internet, it appears that all traffic is coming from this one IP address.

f. Click the Add button to add this new address to the IP pool.

g. Click OK.

The displayed configuration should be similar to the following:

Step 3 Confirm that the configuration values are correct.

Step 4 Click Apply in the main ASDM window.


Configuring NAT for Inside Clients to Communicate with the DMZ Web Server

In the previous procedure, you created a pool of IP addresses that could be used by the security appliance to mask the private IP addresses of inside clients.

In this procedure, you configure a Network Address Translation (NAT) rule that associates IP addresses from this pool with the inside clients so they can communicate securely with the DMZ web server.

To configure NAT between the inside interface and the DMZ interface, perform the following steps starting from the main ASDM window:


Step 1 In the main ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.

Step 3 From the Add drop-down list, choose Add Dynamic NAT Rule.

The Add Dynamic NAT Rule dialog box appears.

Step 4 In the Real Address area, specify the IP address to be translated. For this scenario, address translation for inside clients is done according to the IP address of the subnet.

a. From the Interface drop-down list, choose the Inside interface.

b. Enter the IP address of the client or network. In this scenario, the IP address of the network is 10.10.10.0.

c. From the Netmask drop-down list, choose the Netmask. In this scenario, the netmask is 255.255.255.0.

Step 5 In the Dynamic Translation area:

a. From the Interface drop-down list, choose the DMZ interface.

b. To specify the address pool to be used for this Dynamic NAT rule, check the Select check box next to Global Pool ID. In this scenario, the IP pool ID is 200.

In this scenario, the IP pool that we want to use is already created. If it was not already created, you would click Add to create a new IP pool.

c. Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window.

Review the configuration screen to verify that the translation rule appears as you expected.


Note When you click OK to create this rule, notice that there are actually two translation rules created:

A translation rule between the inside and DMZ interfaces to be used when inside clients communicate with the DMZ web server.

A translation rule between the inside and outside interfaces to be used when inside clients communicate with the Internet.

ASDM is able to create both rules because the addresses to be used for translation are both in the same IP pool.


The displayed configuration should be similar to the following:

Step 6 Click Apply to complete the security appliance configuration changes.


Configuring NAT for Inside Clients to Communicate with Devices on the Internet

In the previous procedure, you configured a Network Address Translation (NAT) rule that associates IP addresses from the IP pool with the inside clients so they can communicate securely with the DMZ web server.

For many configurations, you would also need to create a NAT rule between the inside interface and the outside interface to enable inside clients to communicate with the Internet.

However, in this scenario you do not need to create this rule explicitly. The reason is that the IP pool (pool ID 200) contains both types of addresses needed for address translation: the range of IP addresses to be used by the DMZ interface, and the IP address to be used for the outside interface. This enables ASDM to create the second translation rule for you.

Configuring an External Identity for the DMZ Web Server

The DMZ web server needs to be accessible by all hosts on the Internet. This configuration requires translating the private IP address of the DMZ web server to a public IP address, enabling access to outside HTTP clients that are unaware of the security appliance. To map the real web server IP address (10.30.30.30) statically to a public IP address (209.165.200.226), perform the following steps:


Step 1 In the ASDM window, click the Configuration tool.

Step 2 In the Features pane, click NAT.

Step 3 From the Add drop-down list, choose Add Static NAT Rule. The Add Static NAT Rule dialog box appears.

Step 4 In the Real Address area, specify the real IP address of the web server:

a. From the Interface drop-down list, choose the DMZ interface.

b. Enter the real IP address of the DMZ web server. In this scenario, the IP address is 10.30.30.30.

c. From the Netmask drop-down list, choose the Netmask 255.255.255.255.

Step 5 In the Static Translation area, specify the public IP address to be used for the web server:

a. From the Interface drop-down list, choose Outside.

b. From the IP Address drop-down list, choose the public IP address of the DMZ web server.

In this scenario, the public IP address of the DMZ web server is 209.165.200.226.

Step 6 Click OK to add the rule and return to the list of Address Translation Rules.

This rule maps the real web server IP address (10.30.30.30) statically to the public IP address of the web server (209.165.200.226).

The displayed configuration should be similar to the following:

Step 7 Click Apply to complete the security appliance configuration changes.


Providing Public HTTP Access to the DMZ Web Server

By default, the security appliance denies all traffic coming in from the public network. You must create an access control rule on the security appliance to permit specific traffic types from the public network to resources in the DMZ. This access control rule specifies the interface of the security appliance that processes the traffic, whether the traffic is incoming or outgoing, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted.

In this section, you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet, if the destination of the traffic is the web server on the DMZ network. All other traffic coming in from the public network is denied.

To configure the access control rule, perform the following steps:


Step 1 In the ASDM window:

a. Click the Configuration tool.

b. In the Features pane, click Security Policy.

c. Click the Access Rules tab, and then from the Add pull-down list, choose Add Access Rule.

The Add Access Rule dialog box appears.

Step 2 In the Interface and Action area:

a. From the Interface drop-down list, choose Outside.

b. From the Direction drop-down list, choose Incoming.

c. From the Action drop-down list, choose Permit.

Step 3 In the Source area:

a. From the Type drop-down list, choose IP Address.

b. Enter the IP address of the source host or source network. Use 0.0.0.0 to allow traffic originating from any host or network.

Alternatively, if the address of the source host or network is preconfigured, choose the source IP address from the IP Address drop-down list.

c. Enter the netmask for the source IP address or select one from the Netmask drop-down list.

Step 4 In the Destination area:

a. In the IP address field, enter the public IP address of the destination host or network, such as a web server. (In this scenario, the public IP address of the DMZ web server is 209.165.200.226.)

Step 5 In the Protocol and Service area, specify the type of traffic that you want to permit through the security appliance.

a. From the Protocol drop-down list, choose tcp.

b. In the Source Port area, click the Service radio button, choose "=" (equal to) from the Service drop-down list, and then choose Any from the next drop-down list.

c. In the Destination Port area, click the Service radio button, choose "=" (equal to) from the Service drop-down list, and then choose HTTP/WWW from the next drop-down list.

At this point, the entries in the Add Access Rule dialog box should be similar to the following:

d. Click OK.

Step 6 The displayed configuration should be similar to the following. Verify that the information you entered is accurate.

Step 7 Click Apply to save the configuration changes to the configuration that the security appliance is currently running.

Clients on both the private and public networks can now resolve HTTP requests for content from the DMZ web server, while keeping the private network secure.


Note Although the destination address specified is the private address of the DMZ web server (10.30.30.30), HTTP traffic from any host on the Internet destined for the public address 209.165.200.226 is permitted through the security appliance. The address translation (209.165.200.226 to 10.30.30.30) allows the traffic to be permitted. For information about creating the translation rule, see the "Configuring NAT for Inside Clients to Communicate with the DMZ Web Server" section.


Step 8 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.

Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.


What to Do Next

If you are deploying the security appliance solely to protect a web server in a DMZ, you have completed the initial configuration.

You may want to consider performing some of the following additional steps:

To Do This ...
See ...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages


You can configure the security appliance for more than one application. The following sections provide configuration procedures for other common applications of the security appliance.

To Do This ...
See ...

Configure a remote-access VPN

"Scenario: IPsec Remote-Access VPN Configuration"

Configure a site-to-site VPN

"Scenario: Site-to-Site VPN Configuration"