Cisco ASA 5500 Getting Started Guide, 8.0
Scenario - DMZ Configuration
Download this chapter
Scenario - DMZ ConfigurationScenario - DMZ Configuration
Download the complete book
Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0 (PDF - 4 MB)
give_us_feedback

Table Of Contents

Scenario: DMZ Configuration

Basic Network Layout for a DMZ Configuration

Example DMZ Network Topology

An Inside User Visits a Web Server on the Internet

An Internet User Visits the DMZ Web Server

An Inside User Visits the DMZ Web Server

Configuring the Adaptive Security Appliance for a DMZ Deployment

Configuration Requirements

Information to Have Available

Enabling Inside Clients to Communicate with Devices on the Internet

Enabling Inside Clients to Communicate with the DMZ Web Server

Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces

Translating the Public Address of the Web Server to its Real Address on the Inside Interface

Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)

Providing Public HTTP Access to the DMZ Web Server

What to Do Next


Scenario: DMZ Configuration

A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

This chapter includes the following sections:

Basic Network Layout for a DMZ Configuration

Example DMZ Network Topology

Configuring the Adaptive Security Appliance for a DMZ Deployment

What to Do Next

Basic Network Layout for a DMZ Configuration

The network topology in Figure 8-1 is typical of most DMZ implementations of the adaptive security appliance. In this deployment, the web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server.

Figure 8-1 Private Network with DMZ

Example DMZ Network Topology

The chapter describes how to configure a DMZ deployment of the adaptive security appliance as shown in Figure 8-2.

Figure 8-2 Network Layout for DMZ Configuration Scenario

This example scenario has the following characteristics:

The web server is on the DMZ interface of the adaptive security appliance.

Clients on the inside network can access the web server in the DMZ and can also communicate with devices on the Internet.

Clients on the Internet are permitted HTTP access to the DMZ web server; all other traffic coming from the Internet is denied.

The network has one IP address that is publicly available: the outside interface of the adaptive security appliance (209.165.200.225). This public address is shared by the adaptive security appliance and the DMZ web server.

This section includes the following topics:

An Inside User Visits a Web Server on the Internet

An Internet User Visits the DMZ Web Server

An Inside User Visits the DMZ Web Server

An Inside User Visits a Web Server on the Internet

Figure 8-3 shows the traffic flow through the adaptive security appliance when an inside user requests an HTTP page from a web server on the Internet.

Figure 8-3 An Inside User Visits an Internet Web Server

When an inside user requests an HTTP page from a web server on the Internet, data moves through the adaptive security appliance as follows:

1. The user on the inside network requests a web page from www.example.com.

2. The adaptive security appliance receives the packet and, because it is a new session, verifies that the packet is allowed.

3. The adaptive security appliance performs network address translation (NAT) to translate the local source address (192.168.1.2) to the public address of the outside interface (209.165.200.225).

4. The adaptive security appliance records that a session is established and forwards the packet from the outside interface.

5. When www.example.com responds to the request, the packet goes through the adaptive security appliance using the established session.

6. The adaptive security appliance uses NAT to translate the public destination address to the local user address, 192.168.1.2.

7. The adaptive security appliance forwards the packet to the inside user.

An Internet User Visits the DMZ Web Server

Figure 8-4 shows the traffic flow through the adaptive security appliance when a user on the Internet requests a web page from the DMZ web server.

Figure 8-4 An Outside User Visits the DMZ Web Server

When a user on the Internet requests an HTTP page from the DMZ web server, traffic flows through the adaptive security appliance as follows:

1. A user on the outside network requests a web page from the DMZ web server using the public IP address of the adaptive security appliance (209.165.200.225, the IP address of the outside interface).

2. The adaptive security appliance receives the packet and, because it is a new session, verifies that the packet is allowed.

3. The adaptive security appliance translates the destination address to the local address of the DMZ web server (10.30.30.30) and forwards the packet through the DMZ interface.

4. When the DMZ web server responds to the request, the adaptive security appliance translates the local address of the DMZ web server (10.30.30.30) to the public address of the DMZ web server (209.165.200.225).

5. The adaptive security appliance forwards the packet to the outside user.

An Inside User Visits the DMZ Web Server

Figure 8-5 shows an inside user accessing the DMZ web server.

Figure 8-5 An Inside User Visits a Web Server on the DMZ

In Figure 8-5, the adaptive security appliance permits HTTP traffic originating from inside clients and destined for the DMZ web server. Because the internal network does not include a DNS server, internal client requests for the DMZ web server are handled as follows:

1. A lookup request is sent to the DNS server of the ISP. The public IP address of the DMZ web server is returned to the client.

2. The internal client requests a web page from the public IP address of the DMZ web server. The adaptive security appliance receives the request on its inside interface.

3. The adaptive security appliance translates the public IP address of the DMZ web server to its real address (209.165.200.225 -> 10.30.30.30) and forwards the request out of its DMZ interface to the web server.

4. When the DMZ web server responds to the request, the adaptive security appliance receives the data on its DMZ interface and forwards the data out of its inside interface to the user.

The procedures for creating this configuration are detailed in the remainder of this chapter.

Configuring the Adaptive Security Appliance for a DMZ Deployment

This section describes how to use ASDM to configure the adaptive security appliance for the configuration scenario shown in Figure 8-2. The procedure uses sample parameters based on the scenario.

This configuration procedure assumes that the adaptive security appliance already has interfaces configured for the inside interface, the outside interface, and the DMZ interface. Set up interfaces on the adaptive security appliance by using the Startup Wizard in ASDM. Be sure that the DMZ interface security level is set between 0 and 100. (A common choice is 50.)

For more information about using the Startup Wizard, see Chapter 1, "Configuring the Adaptive Security Appliance."

The section includes the following topics:

Configuration Requirements

Information to Have Available

Starting ASDM, page 8-12

Enabling Inside Clients to Communicate with Devices on the Internet

Enabling Inside Clients to Communicate with the DMZ Web Server

Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)

Providing Public HTTP Access to the DMZ Web Server

The remainder of this chapter provides instructions for how to implement this configuration.

Configuration Requirements

This DMZ deployment of the adaptive security appliance requires configuration rules as follows:

So That...
Create These Rules...

Internal clients can request information from web servers on the Internet

The adaptive security appliance comes with a default configuration that permits inside clients access to devices on the Internet. No additional configuration is required.

Internal clients can request information from the DMZ web server

A NAT rule between the DMZ and inside interfaces that translates the real IP address of the DMZ web server to its public IP address (10.30.30.30 to 209.165.200.225).

A NAT rule between the inside and DMZ interfaces that translates the real addresses of the internal client network. In this scenario, the real IP address of the internal network is "translated" to itself, that is, the real IP address of the internal network is used when internal clients communicate with the DMZ web server (10.10.10.30 to 10.30.30.30).

External clients can request information from the DMZ web server

An address translation rule between the outside and DMZ interfaces that translates the public IP address of the DMZ web server to its private IP address (209.165.200.225 to 10.30.30.30).

An access control rule permitting incoming HTTP traffic that is destined for the DMZ web server.


Information to Have Available

Before you begin this configuration procedure, gather the following information:

Internal IP address of the server inside the DMZ that you want to make available to clients on the public network (in this scenario, a web server).

Public IP addresses to be used for servers inside the DMZ. (Clients on the public network will use the public IP address to access the server inside the DMZ.)

Client IP address to substitute for internal IP addresses in outgoing traffic (in this scenario the IP address of the outside interface). Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.

Enabling Inside Clients to Communicate with Devices on the Internet

To permit internal clients to request content from devices on the Internet, the adaptive security appliance translates the real IP addresses of internal clients to the external address of the outside interface (that is, the public IP address of the adaptive security appliance). Outgoing traffic appears to come from this address.

Enabling Inside Clients to Communicate with the DMZ Web Server

In this procedure, you configure the adaptive security appliance to allow internal clients to communicate securely with the web server in the DMZ. To accomplish this, you must configure a NAT rule between the DMZ and inside interfaces that translates the real IP address of the DMZ web server to its public IP address (10.30.30.30 to 209.165.200.225).

This is necessary because when an internal client sends a DNS lookup request, the DNS server returns the public IP address of the DMZ web server.

Note Because there is not a DNS server on the inside network, DNS requests must exit the adaptive security appliance to be resolved by a DNS server on the Internet.

This section includes the following topics:

Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces

Translating the Public Address of the Web Server to its Real Address on the Inside Interface

Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces

To configure NAT to translate internal client IP addresses between the inside interface and the DMZ interface, perform the following steps:

Step 1 In the main ASDM window, click the Configuration tool.

Step 2 In the Device List area on the left side of the ASDM window, click Firewall.

Step 3 In the Firewall pane on the left side of the ASDM window, click NAT Rules.

Step 4 Click the green plus (+) icon and choose Add Static NAT Rule.

The Add Static NAT Rule dialog box appears.

Step 5 In the Original area, specify the IP address to be translated. For this scenario, address translation for inside clients is performed for the entire 192.168.1.0 subnet.

a. From the Interface drop-down list, choose the Inside interface.

b. In the Source field, enter the IP address of the client or network. In this scenario, the IP address of the network is 192.168.1.0.

Step 6 In the Translated area, do the following:

a. From the Interface drop-down list, choose the DMZ interface.

b. In the IP Address field, enter the IP address of the internal client or network. In this scenario, the IP address of the network is 192.168.1.0.

c. Click OK to add the Static NAT Rule and return to the Configuration > NAT pane.

Review the configuration pane to verify that the translation rule appears as you expected. The rule should appear similar to the following:

Step 7 Click Apply to complete the adaptive security appliance configuration changes.

Translating the Public Address of the Web Server to its Real Address on the Inside Interface

To configure a NAT rule that translates the public IP address of the web server to its real IP address, perform the following steps:

Step 1 In the Configuration > Firewall > NAT Rules screen, click the green + (plus) icon and choose Add Static NAT Rule.

The Add Static NAT Rule dialog box appears.

Step 2 In the Original area, do the following:

a. From the Interface drop-down list, choose DMZ.

b. In the Source field, enter or choose from the IP Address drop-down list the real (private) address of the DMZ web server. In this scenario, the IP address is 10.30.30.30.

Step 3 In the Translated area, do the following:

a. From the Interface drop-down list, choose Inside.

b. Enter or choose from the IP Address drop-down list the public address (or mapped address) of the DMZ web server. In this scenario, the IP address is 209.165.200.225.

Step 4 Click OK to return to the Configuration > NAT pane. The configuration should look similar to the following:

Step 5 Click Apply to complete the adaptive security appliance configuration changes.

Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)

The DMZ web server needs to be accessible by all hosts on the Internet. This configuration requires translating the private IP address of the DMZ web server to a public IP address, which allows outside HTTP clients to access the web server without being aware of the adaptive security appliance. In this scenario the DMZ web server shares a public IP address with the outside interface of the adaptive security appliance (209.165.200.225).

To map the real web server IP address (10.30.30.30) statically to a public IP address (209.165.200.225), perform the following steps:

Step 1 In the Configuration > Firewall > NAT Rules pane, choose Add Static NAT Rule from the Add drop-down list.

The Add Static NAT Rule dialog box appears.

Step 2 In the Original area, specify the real IP address of the web server:

a. From the Interface drop-down list, choose the DMZ interface.

b. Enter the real IP address of the DMZ web server. In this scenario, the IP address is 10.30.30.30.

Step 3 In the Translated area, specify the public IP address to be used for the web server:

a. From the Interface drop-down list, choose Outside.

b. Click the Use Interface IP Address radio button. This is the IP address for the specified interface, in this case, the outside interface.

Step 4 Configure Port Address Translation.

Because there is only one public IP address, it is necessary to use Port Address Translation to translate the IP address of the DMZ web server to the public IP address (IP address of the Outside interface) of the adaptive security appliance. To configure Port Address Translation, perform the following steps:

a. Check the Enable Port Address Translation check box.

b. Click the TCP Protocol radio button.

c. In the Original Port field, enter 80.

d. In the Translated Port field, enter 80.

e. Click OK to add the rule and return to the list of Address Translation Rules.

This rule maps the real web server IP address (10.30.30.30) statically to the public IP address of the web server (209.165.200.225).

Step 5 Confirm that the rule was created the way you expected. The displayed configuration should be similar to the following:

Step 6 Click Apply to complete the adaptive security appliance configuration changes.

Providing Public HTTP Access to the DMZ Web Server

By default, the adaptive security appliance denies all traffic coming in from the public network. To permit traffic coming from the Internet to access the DMZ web server, you must configure an access control rule permitting incoming HTTP traffic destined for the DMZ web server.

This access control rule specifies the interface of the adaptive security appliance that processes the traffic, that the traffic is incoming, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted.

In this section, you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet, if the destination of the traffic is the web server on the DMZ network. All other traffic coming in from the public network is denied.

To configure the access control rule, perform the following steps:

Step 1 In the main ASDM window, do the following:

a. Click the Configuration tool.

b. In the Firewall pane, click Access Rules.

c. Click the green plus icon, then choose Add Access Rule.

The Add Access Rule dialog box appears.

Step 2 In the Add Access Rule dialog box, do the following:

a. From the Interface pull-down list, choose Outside.

b. Click the Permit Action radio button.

c. In the Source field, enter Any.

d. In the Destination field, enter the public IP address of the web server (209.165.200.225).

e. In the Service field, enter TCP/http.

At this point, the entries in the Add Access Rule dialog box should be similar to the following:

f. Click OK to return to the Security Policy > Access Rules pane.

The displayed configuration should be similar to the following.

Verify that the information you entered is accurate.

Click Apply to save the configuration changes to the configuration that the adaptive security appliance is currently running.

Clients on the public network can now resolve HTTP requests for content from the DMZ web server, while keeping the private network secure.

Step 3 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.

Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

What to Do Next

If you are deploying the adaptive security appliance solely to protect a web server in a DMZ, you have completed the initial configuration. You may want to consider performing some of the following additional steps:

To Do This...
See...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages


You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This...
See...

Configure a remote-access VPN

Chapter 1, "Scenario: IPsec Remote-Access VPN Configuration"

Configure an SSL VPN for Cisco AnyConnect software clients

Chapter 1, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure a browser-based SSL VPN

Chapter 1, "Scenario: SSL VPN Clientless Connections"

Configure a site-to-site VPN

Chapter 1, "Scenario: Site-to-Site VPN Configuration"