Creating a DMZ using Cisco ASA

August 24, 2011

Creating a DMZ using a Cisco ASA 5520

Manage your Public accessed resources and secure them using the Adaptive Security Appliance

A DMZ ensures that in case of an attack, only the public servers are affected and not the internal systems as the intrusions are blocked in the zone itself. A Cisco ASA can be used, like any other firewall to create such zones easily. With Cisco ASA, the added advantage is that you do not need multiple devices to accomplish your needs of security and connectivity for your remote or public users.

This article will help you configure a DMZ in which you can keep devices like your HTTP servers, SMTP servers etc.. to be accessed by the public over the internet.

This is my example target network design

So we have a Cisco ASA acting as a firewall only (otherwise, normally I would have the outside interface with a public IP to serve both VPN as well as my stateful + transparent firewall). However, this is just for the demonstration.

Steps

Before moving on to configurations and procedures, it is conceptually important to understand the implementation. A DMZ as I mentioned is a zone where we can restrict traffic arriving for accessing public resources. Therefore, we will create a ‘zone’, give it an IP range and then ensure that we have the right rules to allow business functions. Simple isn’t it? Ok, lets configure this and get it working!

Step 1 – Configure an Interface to act as DMZ “Zone”

Let us define an interface on the Cisco ASA and call it DMZ. You can name it anything you want depending on your company standard nomenclature.

  • Open the ASDM and connect to the ASA box.
  • Navigate to Device Setup and click on Interfaces.
  • Click on “Add” to add an interface.

You can see that you have defined an interface and named it as dmz. Be careful while defining the subnet that the IP range you specify should not clash with the IP range you may have defined for other interfaces.

Step 2 – Configure the Access Entries (ACL)

Now, since I have an SMTP server inside my network, I will ensure that I define rules to access this resource from internet and also from my LAN. I will now specify rules to permit protocol based, port bound traffic from the resource to the outside world, from the outside world to the resource and also, from lan devices to my resource kept inside the DMZ.

Configure rule for any device from interface outside to access 126.100.60.2 only on the smtp ports.

  • Click on Firewall.
  • Go to Advanced and open the ACL Manager.
  • Click on Add ACL and type the name of the ACL. I will use dmz_control
  • Now click on “Add ACE”
  • Click OK to save the configuration.

Configure the rule to allow SMTP server to interact with public

  • Create an ACE with the following configuration

Similarly, you can define the rules from inside interface as well.  

Thats it!! Since this is a connected interface, you do not have to define any static routes. Now, you can see that traffic will start flowing from both inside and outside interfaces.

Write to me if you need more info

Tushar SINGH
matrixtushar@gmail.com

Advertisement
Posted by tusharsingh
Filed in Technology - IT Security
Tags: , , , , ,
Leave a Comment »

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.